Restrict note editing capabilities to their authors or comment moderators#11191
Restrict note editing capabilities to their authors or comment moderators#11191mindctrl wants to merge 8 commits intoWordPress:trunkfrom
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
Outdated
Show resolved
Hide resolved
Co-authored-by: Weston Ruter <westonruter@gmail.com>
Co-authored-by: Weston Ruter <westonruter@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR changes WordPress note (internal comment) capability mapping so only the note author or users who can moderate comments can edit/delete a note, while ensuring authorized collaborators can still read notes via REST.
Changes:
- Update
map_meta_cap()to apply note-specific rules foredit_commentanddelete_comment. - Adjust REST comments controller note read/access behavior for
context=editand note reading. - Add PHPUnit coverage for note edit/delete capability mapping and REST update/delete/read scenarios.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/phpunit/tests/user/capabilities.php | Adds meta-cap and role behavior tests for note edit/delete and regular comment behavior. |
| tests/phpunit/tests/rest-api/rest-comments-controller.php | Adds REST API tests ensuring non-authors can’t edit/delete notes, while authors/moderators can (and reads remain possible for post editors). |
| src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php | Adjusts note read permission logic and edit-context permission behavior in REST. |
| src/wp-includes/capabilities.php | Introduces note-specific meta-cap mapping for editing/deleting notes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/wp-includes/rest-api/endpoints/class-wp-rest-comments-controller.php
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if ( 'note' === $comment->comment_type ) { | ||
| if ( (int) $user_id === (int) $comment->user_id ) { | ||
| $post = get_post( $comment->comment_post_ID ); | ||
| if ( $post ) { | ||
| $post_type = get_post_type_object( $post->post_type ); | ||
| if ( $post_type ) { | ||
| $caps[] = $post_type->cap->edit_posts; | ||
| break; | ||
| } | ||
| } | ||
| $caps[] = 'edit_posts'; | ||
| } else { | ||
| $caps[] = 'moderate_comments'; | ||
| } | ||
| break; |
There was a problem hiding this comment.
For note authors, this maps edit_comment/delete_comment to the post type’s primitive edit_posts cap (or generic edit_posts). That bypasses the per-post rules enforced by edit_post mapping (e.g., edit_published_posts, edit_others_posts, status transitions), so a user could still edit/delete their note even when they can no longer edit the parent post (e.g., the post becomes publish). Consider delegating to the existing per-post mapping (similar to regular comments) so note authors require the same effective capabilities as editing the associated post, while non-authors still require moderate_comments.
Notes (internal collaborative comments on posts) currently inherit the same capability mapping as regular comments, meaning anyone who can edit the parent post can edit or delete any note on it.
Trac ticket: https://core.trac.wordpress.org/ticket/64779
Use of AI Tools
Opus 4.6 helped with this, particularly the phpunit tests.
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.