Security Model

Security Model

The Private Comments plugin implements a restrictive visibility layer to ensure that private discussions remain confidential. By default, the plugin automatically filters comment data across all standard WordPress entry points, preventing unauthorized access via the frontend, RSS feeds, and the REST API.

Access Control Logic

The plugin evaluates the current user's identity against the comment's metadata. Visibility is granted only if the user meets at least one of the following criteria:

• Comment Author: The user who wrote the comment (verified by User ID for logged-in users).
• Post Author: The owner of the post or page where the comment was published.
• Site Administrator: Users with the manage_options capability.

REST API Integration

To prevent data leakage through modern headless applications or mobile apps, the plugin hooks into the WordPress REST API (/wp/v2/comments).

• Automatic Filtering: When an unauthenticated or unauthorized request is made to the comments endpoint, the plugin strips the restricted comments from the JSON response.
• Schema Protection: The plugin ensures that even if a comment ID is known, the API will return a 403 Forbidden or a 404 Not Found (depending on configuration) if the requester does not have the required permissions.

Example REST API Request:

# Requesting comments as a guest
curl -X GET https://example.com/wp-json/wp/v2/comments?post=123

Result: Only public comments or comments authored by the requester are returned.

RSS Feed Protection

WordPress natively generates feeds for site-wide comments and individual post comments. The Private Comments plugin intercepts these feed queries:

1. Feed Scrubbing: Private comments are automatically excluded from the main comment feed (/comments/feed/).
2. Post-Specific Feeds: For post-specific feeds (/post-slug/feed/), the plugin ensures that sensitive data is not broadcast to aggregators or feed readers.

Database Query Filtering

The plugin utilizes internal filters to modify comment queries at the database level. This ensures that even if a third-party plugin or custom theme uses get_comments() or WP_Comment_Query, the privacy logic is enforced.

| Interface | Security Action | | :--- | :--- | | WP Admin | Full visibility for Administrators; limited for authors. | | Frontend Theme | Filtered via comments_array and the_comments hooks. | | REST API | Filtered via rest_comment_query and object permissions. | | RSS/Atom | Filtered via comment_feed_where to prevent global leakage. |

Verification

To verify the security model is active, you can test the following:

1. Logout and attempt to view a post with comments; verify only your own (if recently posted via cookie) or no comments are visible.
2. Access the JSON endpoint (/wp-json/wp/v2/comments) in a private browser tab to confirm restricted comments are missing from the array.