Limit comments moderation

Limit comments moderation

Limit comments moderation

Who can moderate post comments in WordPress? There are: post author, editors, administrators, that is all users who can edit post for which the comment is sent. Let’s suppose you don’t wish that your authors and editors have ability to moderate comments. How to achieve that? If you look at WordPress capabilities list you find fast the ‘moderate_comments’ capability. So quick decision is to turn off ‘moderate_comments’ capability for the ‘Author’ and ‘Editor’ roles. It’s simple task with the help of User Role Editor WordPress plugin. But you will discover soon that it’s not enough. Why?
Because of WordPress developers selected ‘edit_posts’ as the critical capability to decide has user permission for comments moderation or not. If you open /wp-admin/edit-comments.php, where comment moderation user interface lives, you will see:

if ( !current_user_can('edit_posts') )
  wp_die(__('Cheatin’ uh?'));

Also, at line 43 we see:

if ( !current_user_can( 'edit_comment', $comment_id ) )

There is no such capability as ‘edit_comment’ in WordPress standard capabilities list. After little source code investigation I discovered that ‘edit_comment’ virtual capability is mapped to the real one ‘edit_posts’ at the wp-admin/includes/capabilities.php - map_meta_cap() funtion, look to lines 954-959:

case 'edit_comment':
  $comment = get_comment( $args[0] );
  $post = get_post( $comment->comment_post_ID );
  $post_type_object = get_post_type_object( $post->post_type );
  $caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );

Thus, WordPress main rool for comments moderation is “if you can edit this post, you can edit, approve, unapprove, trash, that is moderate its comments.
What to do if you wish to go another way in this field? If you wish to permit comments moderation to user with ‘moderate_comments’ capability only? It’s not so easy.
We have a quick decision – just edit line 11 at ‘edit-comments.php’ and change ‘edit_posts’ to ‘moderate_comments’. But this is not good decision as this change will be lost after every WordPress update and should be restored manually in that case.
Can we achieve this using standard way for WordPress functionality modification – its hooks (filters and actions)? Let’s try. Imagine this picture, authors and editors go to the edit-comments.php page, but don’t see any links to use as comments moderation commands:

Limit edit-comments.php

Limit edit-comments.php

Insert this code to your active theme functions.php file:

function block_bulk_comments_actions($actions) {
  return $actions;
function block_comment_row_actions($actions) {
  return $actions;
if (!current_user_can('moderate_comments')) {
  add_filter('bulk_actions-edit-comments', 'block_bulk_comments_actions');
  add_filter('comment_row_actions', 'block_comment_row_actions');

and you will get the picture above for your edit-comments.php page.

Is our task resolved? No, we are only at the half of our way. We just hidden user interface elements for comments moderation. Those commands are still available to user if he/she is smart enough to type them directly in the browser address bar, e.g.
I didn’t find legal way to block these commands without editing core WordPress files. These commands are executed in edit-comments.php before any WordPress hook is used. I tried to use ‘parse_query’ filter, but without success, it is not called for edit-comments.php that way it works for posts edit.php. If you know/find/discover way to block comment moderation commands, please share your knowledge with us. Thanks in advance.

Tags: ,

  • Marc

    This was a big help, thanks! I haven’t found a way to prevent it on the backend, even Role Scoper, but if I do I’ll let you know.

  • TH3Harold

    i have a question how you set the author not to see the ip and e mail on comments? i want the author able to control their post by delete the comment when it not belong there same time i do not want author to know other author ip or e mail. i been on this for 4 days can not find a way to hide those ip and e mail

  • der

    This really helpful!!! THNX!!!

  • jimihenrik

    You can at least circumvent the “smart enough to type the edit comment address” by just checking on the comment edit page that is the comment the current users and redirecting him away if it’s not. You know, something like this:

    After this you’re left dealing with the front end (edit this comment -links and what not).

  • jimihenrik

    I know I’m couple of years late, but in case anyone else needs this functionality you can do something like this: