Comments: Never allow edit of federated comments (#1895)

obenland · web-flow · commit c95887644a9b · 2025-07-07T10:56:09.000-05:00
diff --git a/.github/changelog/1895-from-description b/.github/changelog/1895-from-description
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Comments received from the Fediverse no longer show an Edit link in the comment list, despite not being editable.
diff --git a/includes/class-comment.php b/includes/class-comment.php
@@ -23,6 +23,7 @@ class Comment {
 	public static function init() {
 		self::register_comment_types();
 
+		\add_filter( 'map_meta_cap', array( self::class, 'map_meta_cap' ), 10, 4 );
 		\add_filter( 'comment_reply_link', array( self::class, 'comment_reply_link' ), 10, 3 );
 		\add_filter( 'comment_class', array( self::class, 'comment_class' ), 10, 3 );
 		\add_filter( 'comment_feed_where', array( static::class, 'comment_feed_where' ) );
@@ -35,6 +36,24 @@ public static function init() {
 		\add_filter( 'pre_wp_update_comment_count_now', array( static::class, 'pre_wp_update_comment_count_now' ), 10, 3 );
 	}
 
+	/**
+	 * Remove edit capabilities for comments received via ActivityPub.
+	 *
+	 * @param array  $caps    Array of capabilities.
+	 * @param string $cap     Capability name.
+	 * @param int    $user_id User ID.
+	 * @param array  $args    Array of arguments.
+	 *
+	 * @return array Modified array of capabilities.
+	 */
+	public static function map_meta_cap( $caps, $cap, $user_id, $args ) {
+		if ( 'edit_comment' === $cap && self::was_received( $args[0] ) ) {
+			$caps[] = 'do_not_allow';
+		}
+
+		return $caps;
+	}
+
 	/**
 	 * Filter the comment reply link.
 	 *
diff --git a/includes/wp-admin/class-admin.php b/includes/wp-admin/class-admin.php
@@ -253,24 +253,6 @@ public static function enqueue_scripts( $hook_suffix ) {
 	 * Disables the edit_comment capability for federated comments.
 	 */
 	public static function edit_comment() {
-		// Disable the edit_comment capability for federated comments.
-		\add_filter(
-			'user_has_cap',
-			function ( $all_caps, $caps, $arg ) {
-				if ( 'edit_comment' !== $arg[0] ) {
-					return $all_caps;
-				}
-
-				if ( was_comment_received( $arg[2] ) ) {
-					return false;
-				}
-
-				return $all_caps;
-			},
-			1,
-			3
-		);
-
 		// phpcs:ignore WordPress.Security.NonceVerification
 		$comment_id = \absint( $_GET['c'] ?? 0 );
 		if ( Comment::was_received( $comment_id ) ) {
