From ca05a4b43db3a979b81c305fd4c3092532abc8dc Mon Sep 17 00:00:00 2001
From: Boone Gorges <boonebgorges@git.wordpress.org>
Date: Wed, 8 Jun 2016 04:00:18 +0000
Subject: [PATCH] Comments: In `wp_list_comments()`, queries with custom
 pagination params should obey default `comment_status` logic.

When custom pagination parameters are passed to `wp_list_comments()`, a
secondary query must be performed to fetch the proper comments. See [36157].
This query should show comments of the same `comment_status` as the default
query initialized in `comments_template()`: show only comments that are
approved, or those that are unapproved but belong to the current user.

Props smerriman.
Fixes #37048.

git-svn-id: https://develop.svn.wordpress.org/trunk@37655 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/comment-template.php          | 18 +++-
 .../phpunit/tests/comment/wpListComments.php  | 84 +++++++++++++++++++
 2 files changed, 98 insertions(+), 4 deletions(-)

diff --git a/src/wp-includes/comment-template.php b/src/wp-includes/comment-template.php
index 41accc9a46..1b5684b921 100644
--- a/src/wp-includes/comment-template.php
+++ b/src/wp-includes/comment-template.php
@@ -1960,13 +1960,23 @@ function wp_list_comments( $args = array(), $comments = null ) {
 
 			$current_per_page = get_query_var( 'comments_per_page' );
 			if ( $r['page'] != $current_cpage || $r['per_page'] != $current_per_page ) {
-
-				$comments = get_comments( array(
+				$comment_args = array(
 					'post_id' => get_the_ID(),
 					'orderby' => 'comment_date_gmt',
 					'order' => 'ASC',
-					'status' => 'all',
-				) );
+					'status' => 'approve',
+				);
+
+				if ( is_user_logged_in() ) {
+					$comment_args['include_unapproved'] = get_current_user_id();
+				} else {
+					$commenter = wp_get_current_commenter();
+					if ( $commenter['comment_author_email'] ) {
+						$comment_args['include_unapproved'] = $commenter['comment_author_email'];
+					}
+				}
+
+				$comments = get_comments( $comment_args );
 
 				if ( 'all' != $r['type'] ) {
 					$comments_by_type = separate_comments( $comments );
diff --git a/tests/phpunit/tests/comment/wpListComments.php b/tests/phpunit/tests/comment/wpListComments.php
index d8214f4f1c..29450e913f 100644
--- a/tests/phpunit/tests/comment/wpListComments.php
+++ b/tests/phpunit/tests/comment/wpListComments.php
@@ -146,4 +146,88 @@ class Tests_Comment_WpListComments extends WP_UnitTestCase {
 		preg_match_all( '|id="comment\-([0-9]+)"|', $found, $matches );
 		$this->assertSame( array( $comments[3] ), array_map( 'intval', $matches[1] ) );
 	}
+
+	/**
+	 * @ticket 37048
+	 */
+	public function test_custom_pagination_should_not_result_in_unapproved_comments_being_shown() {
+		$p = self::factory()->post->create();
+
+		$comments = array();
+		$now = time();
+		for ( $i = 0; $i <= 5; $i++ ) {
+			$comments[] = self::factory()->comment->create( array(
+				'comment_post_ID' => $p,
+				'comment_date_gmt' => date( 'Y-m-d H:i:s', $now - $i ),
+				'comment_author' => 'Commenter ' . $i,
+			) );
+		}
+
+		// Only 2 and 5 are approved.
+		wp_set_comment_status( $comments[0], '0' );
+		wp_set_comment_status( $comments[1], '0' );
+		wp_set_comment_status( $comments[3], '0' );
+		wp_set_comment_status( $comments[4], '0' );
+
+		update_option( 'page_comments', true );
+		update_option( 'comments_per_page', 2 );
+
+		$this->go_to( get_permalink( $p ) );
+
+		// comments_template() populates $wp_query->comments
+		get_echo( 'comments_template' );
+
+		$found = wp_list_comments( array(
+			'echo' => false,
+			'per_page' => 1,
+			'page' => 2,
+		) );
+
+		preg_match_all( '|id="comment\-([0-9]+)"|', $found, $matches );
+		$this->assertSame( array( $comments[2] ), array_map( 'intval', $matches[1] ) );
+	}
+
+	/**
+	 * @ticket 37048
+	 */
+	public function test_custom_pagination_should_allow_ones_own_unapproved_comments() {
+		$p = self::factory()->post->create();
+		$u = self::factory()->user->create();
+
+		$comments = array();
+		$now = time();
+		for ( $i = 0; $i <= 5; $i++ ) {
+			$comments[] = self::factory()->comment->create( array(
+				'comment_post_ID' => $p,
+				'comment_date_gmt' => date( 'Y-m-d H:i:s', $now - $i ),
+				'comment_author' => 'Commenter ' . $i,
+				'user_id' => $u,
+			) );
+		}
+
+		// Only 2 and 5 are approved.
+		wp_set_comment_status( $comments[0], '0' );
+		wp_set_comment_status( $comments[1], '0' );
+		wp_set_comment_status( $comments[3], '0' );
+		wp_set_comment_status( $comments[4], '0' );
+
+		update_option( 'page_comments', true );
+		update_option( 'comments_per_page', 2 );
+
+		wp_set_current_user( $u );
+
+		$this->go_to( get_permalink( $p ) );
+
+		// comments_template() populates $wp_query->comments
+		get_echo( 'comments_template' );
+
+		$found = wp_list_comments( array(
+			'echo' => false,
+			'per_page' => 1,
+			'page' => 2,
+		) );
+
+		preg_match_all( '|id="comment\-([0-9]+)"|', $found, $matches );
+		$this->assertSame( array( $comments[4] ), array_map( 'intval', $matches[1] ) );
+	}
 }