Comments: Make admin comment dimming comment-type aware (Trac #35214, Stage 3)

[adamsilverstein]

Summary

Continues Stage 3 of capability enforcement (follow-up to PR #56) with the admin call-site family.

wp_ajax_dim_comment() (approve/unapprove from the comments list table) gated on:

if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) && ! current_user_can( 'moderate_comments' ) ) {
    wp_die( -1 );
}

The moderate_comments fallback is the global primitive, so a moderator of a custom comment type could not dim comments of that type.

What changed

Route the fallback through the per-comment moderate_comment meta cap (added in #55):

if ( ! current_user_can( 'edit_comment', $comment->comment_ID ) && ! current_user_can( 'moderate_comment', $comment->comment_ID ) ) {

For the default capability model moderate_comment resolves to moderate_comments, so built-in types are unchanged. A type with its own capability_type is gated by its own moderation primitive.

Why this is the last per-comment admin gate

After auditing the admin + XML-RPC surface, this is the only remaining per-comment moderation gate using the bare global primitive:

• wp-admin/comment.php, edit-comments.php, and the other AJAX comment handlers already gate on edit_comment, which #55 made type-aware.
• The list table's moderate_comments checks (get_bulk_actions(), the Empty Spam/Trash button) and XML-RPC wp.getComments (status filter) are collection-level, not a specific comment, so moderate_comment doesn't apply - they correctly stay global.

So with this PR, every per-comment moderation gate in core (REST in #56, admin AJAX here) now flows through the type-aware map_meta_cap() foundation.

Testing

Extends the existing wpAjaxDimComment.php Ajax tests: a review-type moderator (moderate_reviews) can dim a review comment; a global moderate_comments moderator without the type's caps is denied (-1). The existing administrator and subscriber tests still pass, confirming the default model is unchanged.

Full --group ajax --group comment --group capabilities passes (806 tests). PHPCS + PHPStan clean.

Stacking

Based on feature/comment-type-moderation-rest (#56). Retarget to trunk as the stack lands behind #12311.

See #35214.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: cd12c6b0-86dd-4b11-9e02-f1f6b8ff8355

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/comment-type-moderation-admin

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}