moderate_comments WordPress user capability

moderate_comments capability

moderate comments capability

moderate_comments WordPress user capability “allows users to moderate comments from the Comments SubPanel (although a user needs the edit_posts Capability in order to access this)”, – oficial WordPress Codex page says.

What I can say? Do not trust your own eyes. It is not the full true. Only last part of this declaration (about “edit_posts” capability) works as described in relation to the Comments subpanel. Are you not sure? Check it yourself. Take “User Role Editor” WordPress plugin, select the “Editor” role and uncheck “moderate_comments” capability. Then login to WordPress under the user with “Editor” role and go to the “Comments” panel. Do you still see links “unapprove, edit, spam, trash” under the comments there? Thus, you still may moderate comments inspite of you have not “moderate_comments” capability.
So, the next question – what is the real power of “moderate_comments” WordPress user capability?


There are alternative ways of comments moderation and some other benefits, where “moderate_comments” capability is really required or useful. Let’s make short excursion inside WordPress and look on the base of WordPress source code, how WordPress uses “moderate_comments” user capability.

1st, if user has “moderate_comments” capability his new added comment become published at once, without moderation. As commented at WordPress code “The author and the admins get respect”. Click here to look inside the source code.

2nd, “moderate_comments” capability will help you, if you wish to moderate comments remotely using WordPress’ XML-RPC support, with which you can post to your WordPress blog using many popular Weblog Clients. But it’s not the only capability you need for that. WordPress checks if user have “moderate_comments” capability before show him comments, delete or edit comments. If user has it, WordPress checks, if user has the meta “edit_comment” capability for delete and edit operations too. Meta capability is mapped to the set of primitive capabilities. It this case “edit_comment” capability is mapped to the “edit_post” or “edit_custom_post_type” capability, where “custom_post_type” is self-defined.

3rd, Dashboard Recent Comments Widget is shown to the users with “moderate_comments” capability only.

4th, Comments aprovement via WordPress AJAX interface is available if user has “moderate_comments” capability.

5th, “Empty Spam” and “Empty Trash” buttons at “Spam” and “Trash” tabs correspondingly of Comments submenu are available if user has “moderate_comments” capability. Real comments moderation here is available with capabilities to edit posts only.

6th, Two standard WordPress roles “Administrator” and “Editor” have “moderate_comments” capability included by default.

Thus, “moderate_comments” capability is in some transitive state. It’s checked in some places, in some places isn’t, and permission to edit posts is still the key capability, which user must have in order moderate comments in WordPress without any troubles.

I got a lot of questions from “User Role Editor” WordPress plugin users:
– How to give user capability to moderate comments but do not allow him edit posts?
Answer is negative, it’s impossible with just add/turn on, remove/turn off users capabilities. It’s the current WordPress core behaviour – in order moderate comment you should have permission to edit the post to which this comment was sent.
I agree with you, dear readers, I don’t understand why WordPress requires both capabilities “edit_posts” and “moderate_comments” at once. I’m sure it’s enough to have at least one of them in order to be comments moderator. That is if you an author of this post, editor of this blog, admin or you just have “moderate_comments” capability – please moderate comments.
What do you think? Could it be a feature request for the one of next WordPress versions? Did someone send such feature request to wordpress.org?


Curious readers can look on the quotes from the WordPress source code below, where “moderate_comments” user capability is used. I found 6 files:

  • /wp-includes/comments.php;
  • /wp-includes/class-wp-xml-rpc-server.php;
  • /wp-admin/includes/dashboard.php;
  • /wp-admin/includes/admin-ajax.php
  • /wp-admin/includes/class-wp-comments-list-table.php
  • /wp-admin/includes/schema.php

File /wp-includes/comment.php:
function wp_allow_comment():

641
642
643
644
645
	if ( isset($userdata) && ( $user_id == $post_author || $user->has_cap('moderate_comments') ) ) {
		// The author and the admins get respect.
		$approved = 1;
	 } else {
		// Everyone else's comments will be checked.

File /wp-includes/class-wp-xml-rpc-server.php:
function wp_getComment():

992
993
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );

function wp_getComments():

1066
1067
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 401, __( 'Sorry, you cannot edit comments.' ) );

function wp_deleteComment():

1134
1135
		if ( !current_user_can( 'moderate_comments' ) )
			return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
1140
1141
	if ( !current_user_can( 'edit_comment', $comment_ID ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );

function wp_editComment():

1184
1185
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );
1190
1191
	if ( !current_user_can( 'edit_comment', $comment_ID ) )
		return new IXR_Error( 403, __( 'You are not allowed to moderate comments on this site.' ) );

function wp_getCommentStatusList():

1337
1338
	if ( !current_user_can( 'moderate_comments' ) )
		return new IXR_Error( 403, __( 'You are not allowed access to details about this site.' ) );

File wp-admin/includes/dashboard.php::

45
46
47
48
49
50
51
52
53
54
55
// Recent Comments Widget
	if ( is_blog_admin() && current_user_can('moderate_comments') ) {
		if ( !isset( $widget_options['dashboard_recent_comments'] ) || !isset( $widget_options['dashboard_recent_comments']['items'] ) ) {
			$update = true;
			$widget_options['dashboard_recent_comments'] = array(
				'items' => 5,
			);
		}
		$recent_comments_title = __( 'Recent Comments' );
		wp_add_dashboard_widget( 'dashboard_recent_comments', $recent_comments_title, 'wp_dashboard_recent_comments', 'wp_dashboard_recent_comments_control' );
	}

File wp-admin/includes/admin-ajax.php:

457
458
459
460
461
462
463
464
465
466
467
468
	if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) && ! current_user_can( 'moderate_comments' ) )
		die('-1');
 
	$current = wp_get_comment_status( $comment->comment_ID );
	if ( $_POST['new'] == $current )
		die( (string) time() );
 
	check_ajax_referer( "approve-comment_$id" );
	if ( in_array( $current, array( 'unapproved', 'spam' ) ) )
		$result = wp_set_comment_status( $comment->comment_ID, 'approve', true );
	else
		$result = wp_set_comment_status( $comment->comment_ID, 'hold', true );

File /wp-admin/includes/class-wp-comments-list-table.php:

230
231
232
233
234
		if ( ( 'spam' == $comment_status || 'trash' == $comment_status ) && current_user_can( 'moderate_comments' ) ) {
			wp_nonce_field( 'bulk-destroy', '_destroy_nonce' );
			$title = ( 'spam' == $comment_status ) ? esc_attr__( 'Empty Spam' ) : esc_attr__( 'Empty Trash' );
			submit_button( $title, 'button-secondary apply', 'delete_all', false );
		}

File /wp-admin/includes/schema.php:
// Add caps for Administrator role

585
$role->add_cap('moderate_comments');

// Add caps for Editor role

610
$role->add_cap('moderate_comments');

File /wp-includes/capabilities.php:
function map_meta_cap( $cap, $user_id ):

1102
1103
1104
1105
1106
1107
	case 'edit_comment':
		$comment = get_comment( $args[0] );
		$post = get_post( $comment->comment_post_ID );
		$post_type_object = get_post_type_object( $post->post_type );
 
		$caps = map_meta_cap( $post_type_object->cap->edit_post, $user_id, $post->ID );

Tags: ,