moderate_comments WordPress user capability

moderate_comments capability

moderate comments capability

moderate_comments WordPress user capability “allows users to moderate comments from the Comments SubPanel (although a user needs the edit_posts Capability in order to access this)”, – oficial WordPress Codex page says.

What I can say? Do not trust your own eyes. It is not the full true. Only last part of this declaration (about “edit_posts” capability) works as described in relation to the Comments subpanel. Are you not sure? Check it yourself. Take “User Role Editor” WordPress plugin, select the “Editor” role and uncheck “moderate_comments” capability. Then login to WordPress under the user with “Editor” role and go to the “Comments” panel. Do you still see links “unapprove, edit, spam, trash” under the comments there? Thus, you still may moderate comments inspite of you have not “moderate_comments” capability.
So, the next question – what is the real power of “moderate_comments” WordPress user capability?


There are alternative ways of comments moderation and some other benefits, where “moderate_comments” capability is really required or useful. Let’s make short excursion inside WordPress and look on the base of WordPress source code, how WordPress uses “moderate_comments” user capability.

1st, if user has “moderate_comments” capability his new added comment become published at once, without moderation. As commented at WordPress code “The author and the admins get respect”. Click here to look inside the source code.

2nd, “moderate_comments” capability will help you, if you wish to moderate comments remotely using WordPress’ XML-RPC support, with which you can post to your WordPress blog using many popular Weblog Clients. But it’s not the only capability you need for that. WordPress checks if user have “moderate_comments” capability before show him comments, delete or edit comments. If user has it, WordPress checks, if user has the meta “edit_comment” capability for delete and edit operations too. Meta capability is mapped to the set of primitive capabilities. It this case “edit_comment” capability is mapped to the “edit_post” or “edit_custom_post_type” capability, where “custom_post_type” is self-defined.

3rd, Dashboard Recent Comments Widget is shown to the users with “moderate_comments” capability only.

4th, Comments aprovement via WordPress AJAX interface is available if user has “moderate_comments” capability.

5th, “Empty Spam” and “Empty Trash” buttons at “Spam” and “Trash” tabs correspondingly of Comments submenu are available if user has “moderate_comments” capability. Real comments moderation here is available with capabilities to edit posts only.

6th, Two standard WordPress roles “Administrator” and “Editor” have “moderate_comments” capability included by default.

Thus, “moderate_comments” capability is in some transitive state. It’s checked in some places, in some places isn’t, and permission to edit posts is still the key capability, which user must have in order moderate comments in WordPress without any troubles.

I got a lot of questions from “User Role Editor” WordPress plugin users:
– How to give user capability to moderate comments but do not allow him edit posts?
Answer is negative, it’s impossible with just add/turn on, remove/turn off users capabilities. It’s the current WordPress core behaviour – in order moderate comment you should have permission to edit the post to which this comment was sent.
I agree with you, dear readers, I don’t understand why WordPress requires both capabilities “edit_posts” and “moderate_comments” at once. I’m sure it’s enough to have at least one of them in order to be comments moderator. That is if you an author of this post, editor of this blog, admin or you just have “moderate_comments” capability – please moderate comments.
What do you think? Could it be a feature request for the one of next WordPress versions? Did someone send such feature request to wordpress.org?


Curious readers can look on the quotes from the WordPress source code below, where “moderate_comments” user capability is used. I found 6 files:

  • /wp-includes/comments.php;
  • /wp-includes/class-wp-xml-rpc-server.php;
  • /wp-admin/includes/dashboard.php;
  • /wp-admin/includes/admin-ajax.php
  • /wp-admin/includes/class-wp-comments-list-table.php
  • /wp-admin/includes/schema.php

File /wp-includes/comment.php:
function wp_allow_comment():

641
642
643
644
645
	if ( isset($userdata) && ( $user_id == $post_author || $user->has_cap('moderate_comments') ) ) {
		// The author and the admins get respect.
		$approved = 1;
	 } else {
		// Everyone else's comments will be checked.

File /wp-includes/class-wp-xml-rpc-server.php:
function wp_getComment():

992
993
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );

function wp_getComments():

1066
1067
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) );

function wp_deleteComment():

1134
1135
		if ( !current_user_can( 'moderate_comments' ) )
			return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
1140
1141
	if ( !current_user_can( 'edit_comment', $comment_ID ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );

function wp_editComment():

1184
1185
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
1190
1191
	if ( !current_user_can( 'edit_comment', $comment_ID ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );

function wp_getCommentStatusList():

1337
1338
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );

File wp-admin/includes/dashboard.php::

45
46
47
48
49
50
51
52
53
54
55
// Recent Comments Widget
	if ( is_blog_admin() && current_user_can('moderate_comments') ) {
		if ( !isset( $widget_options['dashboard_recent_comments'] ) || !isset( $widget_options['dashboard_recent_comments']['items'] ) ) {
			$update = true;
			$widget_options['dashboard_recent_comments'] = array(
				'items' => 5,
			);
		}
		$recent_comments_title = __( 'Recent Comments' );
		wp_add_dashboard_widget( 'dashboard_recent_comments', $recent_comments_title, 'wp_dashboard_recent_comments', 'wp_dashboard_recent_comments_control' );
	}

File wp-admin/includes/admin-ajax.php:

457
458
459
460
461
462
463
464
465
466
467
468
	if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) && ! current_user_can( 'moderate_comments' ) )
		die('-1');
 
	$current = wp_get_comment_status( $comment->comment_ID );
	if ( $_POST['new'] == $current )
		die( (string) time() );
 
	check_ajax_referer( "approve-comment_$id" );
	if ( in_array( $current, array( 'unapproved', 'spam' ) ) )
		$result = wp_set_comment_status( $comment->comment_ID, 'approve', true );
	else
		$result = wp_set_comment_status( $comment->comment_ID, 'hold', true );

File /wp-admin/includes/class-wp-comments-list-table.php:

230
231
232
233
234
		if ( ( 'spam' == $comment_status || 'trash' == $comment_status ) && current_user_can( 'moderate_comments' ) ) {
			wp_nonce_field( 'bulk-destroy', '_destroy_nonce' );
			$title = ( 'spam' == $comment_status ) ? esc_attr__( 'Empty Spam' ) : esc_attr__( 'Empty Trash' );
			submit_button( $title, 'button-secondary apply', 'delete_all', false );
		}

File /wp-admin/includes/schema.php:
// Add caps for Administrator role

585
$role->add_cap('moderate_comments');

// Add caps for Editor role

610
$role->add_cap('moderate_comments');

File /wp-includes/capabilities.php:
function map_meta_cap( $cap, $user_id ):

1102
1103
1104
1105
1106
1107
	case 'edit_comment':
		$comment = get_comment( $args[0] );
		$post = get_post( $comment->comment_post_ID );
		$post_type_object = get_post_type_object( $post->post_type );
 
		$caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );

Tags: ,

  • xjavier

    Hello, thanks for the User Role Editor Plug-In, now 1 question i have:

    How to give a users the capability to edit their own posts without the cap to edit-delete others comments?

    When i select the “Edit published entries” to any Role (Suscriber, Editor, Author, etc) – so the users can edit their own post once it’s online – i give the rights to approve or delete comments from all users including the Administrator.

    I just need the Author Role to have capability to Write and Edit the posts but not to delete other’s comments!

  • Hello,
    Thanks. 
    The answer is negative. It’s a WordPress feature: if you are the author of this post or capable edit it, you can moderate comments for this post too.
    I thinks, your purpose could be achieved with additional programming efforts only or some comments plugin, which has its own permission subsystem or changes current WordPress one. I didn’t investigate this subject deeper yet and have not ready for use decision.

  • Zhanat A

    Hello!

    How can i use plugin for moderator role who can approve or decline comments to the post?
    I made 1 user as moderator and moderate_comments already checked but moderator user cannot see any “approve” etc button under the recent comment in dashboard.

  •  Hello!

    It’s impossible to moderate comments at WP dashboard with edit_posts capability in addition. User should be capable to edit post, for which he intends to moderate comments.

  • I’m confused .. is this a bug in wordpress or not? I do NOT want my contributors to be able to edit comments! Is there some way to do this? I’ve used user_role_editor to allow them to set their posts to “pending”, and one of the admins of my site come and schedule posts to flow out appropriately each week. I turned off the “moderate comments” and assumed they did not have the power to do that.

  • It’s not a WordPress bug, it’s a feature. If user can edit post, he can moderate comments for that post.
    moderate_comments is not a key capability here.
    One way to resolve this issue – use external comment system, like Disqus or similar.
    Other one – you can change author of the post at WordPress – to prohibit comments moderation for original author/contributor, but still show contributor’s name as post author. Just store it at post meta field and modify your theme.

  • Gavin

    Feature request: Notifications.

    Is it possible to enable email notifications (when new comments are made for moderation) to be sent to an Editor with moderate_comments capability?

    Currently only the Administrator gets these (via settings in General > Discussions).

  • It is possible via plugins. Try this one for example
    http://wordpress.org/extend/plugins/cbnet-multi-author-comment-notification/
    According to description this plugin allows to send email notification to users with selected role, including ‘Editor’.

  • Tobias Kraus

    My problem is, I cannot give “moderate_comments” capability whithout “edit_pages “.
    In the article is just written, that “edit_posts” is necessary, but in my case “edit_pages” is also necessary, which I don’t want.

    As well a problem of Word Press?

    (My WP Version is 4.3.1 and User Role Editor Version is 4.22)

  • Martin Worth

    How can i just allow a one user to edit a specific page ? just installed plugin

  • It’s a feature of a Pro version – posts/pages/custom post types edit restricitions add-on:
    https://www.role-editor.com/allow-user-edit-selected-posts/

  • WordPress checks if user is capable to edit post or page to which a comment is related to decide if user can moderate it. So if comment is linked to the page, ‘edit_pages’ or even ‘edit_others_pages’ are needed.

  • Oliver Wagner

    Am I right, that it is impossible to grant edit rights on comments to the contributing user if this user is not the owner of the corresponding post?

  • You are right. User should be the owner of the post or he should be capable to edit others posts like the ‘editor’ role does.