Comments: Ensure that unmoderated comments won't be search indexed.

After a comment is submitted, only allow a brief window where the comment is live on the site. Fixes #49956. Props: jonkolbert, ayeshrajans, Asif2BD, peterwilsoncc, imath, audrasjb, jonoaldersonwp, whyisjake. git-svn-id: https://develop.svn.wordpress.org/trunk@47887 602fd350-edb4-49c9-b593-d223f7449a82
2020-06-02 20:10:02 +00:00 · 2020-06-02 20:10:02 +00:00 · d232910423
commit d232910423
parent ffd5d37c77
5 changed files with 85 additions and 30 deletions
--- a/src/wp-comments-post.php
+++ b/src/wp-comments-post.php
@ -56,8 +56,8 @@ do_action( 'set_comment_cookies', $comment, $user, $cookies_consent );
 $location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment ) : $_POST['redirect_to'] . '#comment-' . $comment->comment_ID;
-// Add specific query arguments to display the awaiting moderation message.
+// If user didn't consent to cookies, add specific query arguments to display the awaiting moderation message.
-if ( 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
+if ( ! $cookies_consent && 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
 	$location = add_query_arg(
 		array(
 			'unapproved'      => $comment->comment_ID,
--- a/src/wp-includes/class-walker-comment.php
+++ b/src/wp-includes/class-walker-comment.php
@ -181,6 +181,10 @@ class Walker_Comment extends Walker {
 			return;
 		}
 		if ( 'comment' === $comment->comment_type ) {
 			add_filter( 'comment_text', array( $this, 'comment_text' ), 40, 2 );
 		}
 		if ( ( 'pingback' === $comment->comment_type || 'trackback' === $comment->comment_type ) && $args['short_ping'] ) {
 			ob_start();
 			$this->ping( $comment, $depth, $args );
@ -194,6 +198,10 @@ class Walker_Comment extends Walker {
 			$this->comment( $comment, $depth, $args );
 			$output .= ob_get_clean();
 		}
 		if ( 'comment' === $comment->comment_type ) {
 			remove_filter( 'comment_text', array( $this, 'comment_text' ), 40, 2 );
 		}
 	}
 	/**
@ -244,6 +252,26 @@ class Walker_Comment extends Walker {
 		<?php
 	}
 	/**
 	 * Remove links from the pending comment's text if the commenter has not consent to the comment cookie.
 	 *
 	 * @since 5.4.2
 	 *
 	 * @param string          $comment_text Text of the current comment.
 	 * @param WP_Comment|null $comment      The comment object.
 	 * @return string                       Text of the current comment.
 	 */
 	function comment_text( $comment_text, $comment ) {
 		$commenter          = wp_get_current_commenter();
 		$show_pending_links = ! empty( $commenter['comment_author'] );
 		if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
 			return wp_kses( $comment_text, array() );
 		}
 		return $comment_text;
 	}
 	/**
 	 * Outputs a single comment.
 	 *
@ -265,6 +293,7 @@ class Walker_Comment extends Walker {
 		}
 		$commenter          = wp_get_current_commenter();
 		$show_pending_links = isset( $commenter['comment_author'] ) && $commenter['comment_author'];
 		if ( $commenter['comment_author_email'] ) {
 			$moderation_note = __( 'Your comment is awaiting moderation.' );
 		} else {
@ -279,13 +308,18 @@ class Walker_Comment extends Walker {
 		<div class="comment-author vcard">
 			<?php
 			if ( 0 != $args['avatar_size'] ) {
-				echo get_avatar( $comment, $args['avatar_size'] );}
+				echo get_avatar( $comment, $args['avatar_size'] );
 			}
 			?>
 			<?php
 			$comment_author = get_comment_author_link( $comment );
 			if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
 				$comment_author = get_comment_author( $comment );
 			}
 			printf(
 				/* translators: %s: Comment author link. */
 				__( '%s <span class="says">says:</span>' ),
-					sprintf( '<cite class="fn">%s</cite>', get_comment_author_link( $comment ) )
+				sprintf( '<cite class="fn">%s</cite>', $comment_author )
 			);
 			?>
 		</div>
@ -355,6 +389,7 @@ class Walker_Comment extends Walker {
 		$tag = ( 'div' === $args['style'] ) ? 'div' : 'li';
 		$commenter          = wp_get_current_commenter();
 		$show_pending_links = ! empty( $commenter['comment_author'] );
 		if ( $commenter['comment_author_email'] ) {
 			$moderation_note = __( 'Your comment is awaiting moderation.' );
 		} else {
@ -372,10 +407,14 @@ class Walker_Comment extends Walker {
 						}
 						?>
 						<?php
 						$comment_author = get_comment_author_link( $comment );
 						if ( '0' == $comment->comment_approved && ! $show_pending_links ) {
 							$comment_author = get_comment_author( $comment );
 						}
 						printf(
 							/* translators: %s: Comment author link. */
 							__( '%s <span class="says">says:</span>' ),
-								sprintf( '<b class="fn">%s</b>', get_comment_author_link( $comment ) )
+							sprintf( '<b class="fn">%s</b>', $comment_author )
 						);
 						?>
 					</div><!-- .comment-author -->
@ -402,6 +441,7 @@ class Walker_Comment extends Walker {
 				</div><!-- .comment-content -->
 				<?php
 				if ( '1' == $comment->comment_approved || $show_pending_links ) {
 					comment_reply_link(
 						array_merge(
 							$args,
@ -414,6 +454,7 @@ class Walker_Comment extends Walker {
 							)
 						)
 					);
 				}
 				?>
 			</article><!-- .comment-body -->
 		<?php
--- a/src/wp-includes/class-wp-comment-query.php
+++ b/src/wp-includes/class-wp-comment-query.php
@ -553,13 +553,18 @@ class WP_Comment_Query {
 				// Numeric values are assumed to be user ids.
 				if ( is_numeric( $unapproved_identifier ) ) {
 					$approved_clauses[] = $wpdb->prepare( "( user_id = %d AND comment_approved = '0' )", $unapproved_identifier );
 					// Otherwise we match against email addresses.
 				} else {
 					// Otherwise we match against email addresses.
 					if ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
 						// Only include requested comment.
 						$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' AND comment_ID = %d )", $unapproved_identifier, (int) $_GET['unapproved'] );
 					} else {
 						// Include all of the author's unapproved comments.
 						$approved_clauses[] = $wpdb->prepare( "( comment_author_email = %s AND comment_approved = '0' )", $unapproved_identifier );
 					}
 				}
 			}
 		}
 		// Collapse comment_approved clauses into a single OR-separated clause.
 		if ( ! empty( $approved_clauses ) ) {
--- a/src/wp-includes/class-wp.php
+++ b/src/wp-includes/class-wp.php
@ -404,6 +404,10 @@ class WP {
 		if ( is_user_logged_in() ) {
 			$headers = array_merge( $headers, wp_get_nocache_headers() );
 		} elseif ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
 			// Unmoderated comments are only visible for one minute via the moderation hash.
 			$headers['Expires']       = gmdate( 'D, d M Y H:i:s', time() + MINUTE_IN_SECONDS );
 			$headers['Cache-Control'] = 'max-age=60, must-revalidate';
 		}
 		if ( ! empty( $this->query_vars['error'] ) ) {
 			$status = (int) $this->query_vars['error'];
--- a/src/wp-includes/comment.php
+++ b/src/wp-includes/comment.php
@ -1852,9 +1852,14 @@ function wp_get_unapproved_comment_author_email() {
 		$comment    = get_comment( $comment_id );
 		if ( $comment && hash_equals( $_GET['moderation-hash'], wp_hash( $comment->comment_date_gmt ) ) ) {
 			// The comment will only be viewable by the comment author for 1 minute.
 			$comment_preview_expires = strtotime( $comment->comment_date_gmt . '+1 minute' );
 			if ( time() < $comment_preview_expires ) {
 				$commenter_email = $comment->comment_author_email;
 			}
 		}
 	}
 	if ( ! $commenter_email ) {
 		$commenter       = wp_get_current_commenter();