Add a new public method to the Comment_Analysis class that is used to analyze a comment

[dkotter]

What?

Closes #515

Add a new analyze_comment_by_id method to the Comment_Analysis class and use that whenever we want to analyze a comment.

Why?

If we directly use the Comment_Analysis Ability to analyze a comment, it will require the permission_callback to pass which requires a user to be logged in and have the moderate_comments capability. While this is great and we want that in place, this means we can't use this class to analyze a newly added comment from a non-logged in user or a non-admin/editor user.

How?

• Adds a new analyze_comment_by_id method to the Comment_Analysis class
• When the Comment_Analysis Ability is called, the execution callback will now use this method (after passing the permission check)
• When we analyze a newly added comment, instead of directly calling the Ability (which will trigger the permission check) instead call this new analyze_comment_by_id method. Since we hook this to wp_insert_comment, WordPress has already run it's own checks so no need for us to have a permission check here

Use of AI Tools

AI assistance: Yes
Tool(s): Cursor
Model(s): GPT-5.5
Used for: Analyzing the problem and suggesting some approaches. I considered the approaches and settled on what I felt was right and AI executed on that plan. Final review and testing by me

Testing Instructions

1. Pull down this PR
2. Turn on the Comment Moderation experiment
3. Ensure you have an AI Connector in place
4. Ensure comments are allowed on your site
5. As a logged-in user, go to the front-end and leave a comment. Ensure this comment is saved
6. Go to the Comments screen in the admin and ensure you see this comment and you see Sentiment and Toxicity values
7. Log out
8. Go to a post and leave a comment
9. Ensure that comment goes through
10. Log back in and find that comment on the Comments screen and ensure you see this comment and you see Sentiment and Toxicity values
11. From that screen, manually analyze one or more comments and ensure that still works

Changelog Entry

Fixed - Ensure comment moderation works properly for comments left by non-logged in users and users without the comment_moderation capability

[github-actions]

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: dkotter <dkotter@git.wordpress.org>
Co-authored-by: jeffpaul <jeffpaul@git.wordpress.org>
Co-authored-by: Intenzi <intenzi@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.01%. Comparing base (4736d6f) to head (b62cf7f).

Files with missing lines	Patch %	Lines
.../Abilities/Comment_Moderation/Comment_Analysis.php	83.33%	3 Missing ⚠️

Additional details and impacted files

@@              Coverage Diff              @@
##             develop     #516      +/-   ##
=============================================
+ Coverage      67.23%   68.01%   +0.77%     
- Complexity      1054     1058       +4     
=============================================
  Files             65       65              
  Lines           5024     5037      +13     
=============================================
+ Hits            3378     3426      +48     
+ Misses          1646     1611      -35     

Flag	Coverage Δ
unit	68.01% <90.00%> (+0.77%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Intenzi]

@dkotter I have tested this PR locally and it works perfectly! Posting a comment no longer errors out for Subscribers and the comment is correctly flagged and dropped into the moderation queue. I was able to verify that anonymous comments are also functional with this.

I also really like this approach, keeping it scoped to the specific class instead of altering Abstract_Ability makes total sense for right now. And adding the filter for the unit tests is a great touch. Thanks for the quick fix!

One quick thought that crossed my mind while testing this: Since this allows the background AI to run on front-end submissions, should we be worried about anonymous comment spam causing API token exhaustion (essentially a Denial of Wallet)? I don't want to distract from this PR since it perfectly fixes the immediate bug.

At a minimum, if a standard spam filter (like Akismet) intercepts the comment first and flags it, such that 'spam' === $comment->comment_approved, the AI shouldn't run. We might also want to consider a toggle for whether AI runs on guest comments at all.

Would you like me to open a new PR to patch that early exit check as it is a simple fix, or should I open an Issue to track this as a broader discussion about mitigating anonymous comment spam?

Either way, I'm going to start working on #509 in the morning! 🌞

[dkotter]

Thanks for the review @Intenzi!

Since this allows the background AI to run on front-end submissions, should we be worried about anonymous comment spam causing API token exhaustion (essentially a Denial of Wallet)?

It's a good question and open to thoughts on ways to mitigate this. It's essentially the reason we have the permission check in the first place, to limit the scope of who can initiate an AI request. But in wanting to support non-logged in comments (which I imagine are a good percentage of comments) not sure there's a great way to allow those to be scanned but not allow non-legitimate comments (other than maybe some sort of built-in rate limiting).

At a minimum, if a standard spam filter (like Akismet) intercepts the comment first and flags it, such that 'spam' === $comment->comment_approved, the AI shouldn't run

Yeah, I like this thought, if a comment has already been marked as spam or marked for moderation, likely no reason for us to analyze that comment.

We might also want to consider a toggle for whether AI runs on guest comments at all.

We've so far taken the approach of limiting the amount of settings we have but this is likely a decent middle ground approach for the first problem. Maybe have this default to being on but a site can toggle it off if they don't want to analyze guest comments (or they start getting bombarded by spam and it's using too many tokens).

Would you like me to open a new PR

Always open to review PRs so I think that's a good next step here for any of the points you've raised if you have interest

[jeffpaul]

Works well in testing, thanks!

[dkotter]

I'm going to go ahead and merge this as it at least makes this comment moderation experiment work as expected. I think we have some good feedback we can follow up on though for the next release.