Comments: Show the "awaiting moderation" message when comment cookies are disabled.

The "Your comment is awaiting moderation." message relied upon the comment author cookie being set. However, since it's now possible to opt-out of that cookie, submitting a comment won't show the comment preview when the comment is placed in moderation.

To avoid this issue, we now include a hash in the redirect URL, allowing the site to identify that a preview of the moderated comment should be displayed.

Props imath, tomdxw, birgire, lakenh, azaozz, pento.
Fixes #43857.



git-svn-id: https://develop.svn.wordpress.org/trunk@44659 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-comments-post.php

@@ -56,6 +56,17 @@ do_action( 'set_comment_cookies', $comment, $user, $cookies_consent );
 
 $location = empty( $_POST['redirect_to'] ) ? get_comment_link( $comment ) : $_POST['redirect_to'] . '#comment-' . $comment->comment_ID;
 
+// Add specific query arguments to display the awaiting moderation message.
+if ( 'unapproved' === wp_get_comment_status( $comment ) && ! empty( $comment->comment_author_email ) ) {
+	$location = add_query_arg(
+		array(
+			'unapproved'      => $comment->comment_ID,
+			'moderation-hash' => wp_hash( $comment->comment_date_gmt ),
+		),
+		$location
+	);
+}
+
 /**
  * Filters the location URI to send the commenter after posting.
  *

src/wp-includes/comment-template.php

@@ -1372,8 +1372,12 @@ function comments_template( $file = '/comments.php', $separate_comments = false
 
 	if ( $user_ID ) {
 		$comment_args['include_unapproved'] = array( $user_ID );
-	} elseif ( ! empty( $comment_author_email ) ) {
-		$comment_args['include_unapproved'] = array( $comment_author_email );
+	} else {
+		$unapproved_email = wp_get_unapproved_comment_author_email();
+
+		if ( $unapproved_email ) {
+			$comment_args['include_unapproved'] = array( $unapproved_email );
+		}
 	}
 
 	$per_page = 0;
@@ -1690,7 +1694,15 @@ function get_comment_reply_link( $args = array(), $comment = null, $post = null
 
 		$link = sprintf(
 			"<a rel='nofollow' class='comment-reply-link' href='%s' %s aria-label='%s'>%s</a>",
-			esc_url( add_query_arg( 'replytocom', $comment->comment_ID ) ) . '#' . $args['respond_id'],
+			esc_url(
+				add_query_arg(
+					array(
+						'replytocom'      => $comment->comment_ID,
+						'unapproved'      => false,
+						'moderation-hash' => false,
+					)
+				)
+			) . '#' . $args['respond_id'],
 			$data_attribute_string,
 			esc_attr( sprintf( $args['reply_to_text'], $comment->comment_author ) ),
 			$args['reply_text']
@@ -1832,7 +1844,7 @@ function get_cancel_comment_reply_link( $text = '' ) {
 	}
 
 	$style = isset( $_GET['replytocom'] ) ? '' : ' style="display:none;"';
-	$link  = esc_html( remove_query_arg( 'replytocom' ) ) . '#respond';
+	$link  = esc_html( remove_query_arg( array( 'replytocom', 'unapproved', 'moderation-hash' ) ) ) . '#respond';
 
 	$formatted_link = '<a rel="nofollow" id="cancel-comment-reply-link" href="' . $link . '"' . $style . '>' . $text . '</a>';
 
@@ -2055,9 +2067,10 @@ function wp_list_comments( $args = array(), $comments = null ) {
 				if ( is_user_logged_in() ) {
 					$comment_args['include_unapproved'] = get_current_user_id();
 				} else {
-					$commenter = wp_get_current_commenter();
-					if ( $commenter['comment_author_email'] ) {
-						$comment_args['include_unapproved'] = $commenter['comment_author_email'];
+					$unapproved_email = wp_get_unapproved_comment_author_email();
+
+					if ( $unapproved_email ) {
+						$comment_args['include_unapproved'] = array( $unapproved_email );
 					}
 				}
 

src/wp-includes/comment.php

@@ -1768,6 +1768,35 @@ function wp_get_current_commenter() {
 	return apply_filters( 'wp_get_current_commenter', compact( 'comment_author', 'comment_author_email', 'comment_author_url' ) );
 }
 
+/**
+ * Get unapproved comment author's email.
+ *
+ * Used to allow the commenter to see their pending comment.
+ *
+ * @since 5.1.0
+ *
+ * @return string The unapproved comment author's email (when supplied).
+ */
+function wp_get_unapproved_comment_author_email() {
+	$commenter_email = '';
+
+	if ( ! empty( $_GET['unapproved'] ) && ! empty( $_GET['moderation-hash'] ) ) {
+		$comment_id = (int) $_GET['unapproved'];
+		$comment    = get_comment( $comment_id );
+
+		if ( $comment && hash_equals( $_GET['moderation-hash'], wp_hash( $comment->comment_date_gmt ) ) ) {
+			$commenter_email = $comment->comment_author_email;
+		}
+	}
+
+	if ( ! $commenter_email ) {
+		$commenter       = wp_get_current_commenter();
+		$commenter_email = $commenter['comment_author_email'];
+	}
+
+	return $commenter_email;
+}
+
 /**
  * Inserts a comment into the database.
  *

tests/phpunit/tests/comment/commentsTemplate.php

@@ -831,6 +831,42 @@ class Tests_Comment_CommentsTemplate extends WP_UnitTestCase {
 		return $commenter;
 	}
 
+	/**
+	 * @ticket 43857
+	 */
+	public function test_comments_list_should_include_just_posted_unapproved_comment() {
+		$now     = time();
+		$p       = self::factory()->post->create();
+		$c       = self::factory()->comment->create(
+			array(
+				'comment_post_ID'      => $p,
+				'comment_content'      => '1',
+				'comment_approved'     => '0',
+				'comment_date_gmt'     => date( 'Y-m-d H:i:s', $now ),
+				'comment_author_email' => 'foo@bar.mail',
+			)
+		);
+		$comment = get_comment( $c );
+
+		$this->go_to(
+			add_query_arg(
+				array(
+					'unapproved'      => $comment->comment_ID,
+					'moderation-hash' => wp_hash( $comment->comment_date_gmt ),
+				),
+				get_comment_link( $comment )
+			)
+		);
+
+		$found = get_echo( 'comments_template' );
+
+		// Find the found comment in the markup.
+		preg_match( '|id="comment-([0-9]+)|', $found, $matches );
+
+		$found_cid = (int) $matches[1];
+		$this->assertSame( $c, $found_cid );
+	}
+
 	/**
 	 * @ticket 35378
 	 */