bulk operations on comments

Here's a patch (against HEAD) that gives you the cheap-and-dirty approach (checkboxes that allow bulk approval/unapproval of comments).

I'll leave the gold-plated AJAX solution to someone with more time. :)

- Don't use tabs.
- SQL queries might be vularnable to SQL injection attacks. Use db_query()'s %s and %d directives.

Ok, I think I got rid of all the tabs this time...

I've had to use db_escape_string, rather than the sprintf params to db_query, but it should have the same effect.

minor nits:

we use an extra line in our else clauses. this should be two lines:
} else {

also, you can almost always avoid using db_escape_string() directly. you will need to do a str_repeat('%d, ', count($unpublish)) in the SQL(for unpublish query) and then pass a an array as the last argument to db_query. This is the seldom used 'pass all values in an array' feature of db_query: http://drupaldocs.org/api/head/function/db_query

Oh, so you're saying I should have read the style guide... ;)

I've fixed the brace position, and I've redone the db_query as you suggested.

Thanks!

Code needs more small style fixes. Haven't tried the patch, nor did I try to look at the big picture. However, I agree that the comment approval workflow sucks. How do other systems deal with this? What does their UI and interaction design look like?

Rerolled patch and fixed a few issues: Using ' instead of " now where possible, made "Save changes" translatable, use %d more often, indent code using 2 spaces (not 4). The functionality works as expected and is quite an improvement over the current stuff.

+1 from me.

i read this through and looks good from a style and functionality perspective. I didn't get a chance to test though.

In the recent Drupal administration user experience survey, 86% of respondants said their most common Drupal task was administering comments and other content. This patch aims to improve this common user experience by adding support for bulk operations on comments (publish/unpublish/delete). The code is very much modeled after the bulk operations that are provided by the node module, making the two interfaces much more similar.

I am aiming to get this patch merged before the Drupal 4.7 release.

Cleaned the patch up based on a recent cleanup of the node module.

Changes:

• Removed unnecessary menu option.
• Got rid of caching in comment_load, as I couldn't come up with a logical reason why someone would load a comment more than once per page.
• Replaced direct db query with comment_load elsewhere in module

Changed:

• changed _execute to _submit
• never leave orphans, always delete selected comments and all their children

1. I noticed that function comment_multiple_delete_confirm() uses $_POST['edit']. With the new forms API using $_POST should be avoided, as it is not validated and possibly vulnerable to form injection attacks. Maybe the other mass deletion forms use this too; haven't checked but I figured I'd point this out.
2. I noticed you are still using status codes (comment_operations() uses status = 0). We have defines for these now.
3. Why is it that I can't publish comments under "new comments"? Are all of these guaranteed to be published comments? That is not clear from the name "new comments"; the name implies both published and unpublished comments. The fact there is a status column makes this more confusing. I suggest renaming "new comments" to something more explanator.
4. Should comment_load() be a private function?

1. This also affects the node module. I'd be more than happy to fix this in both places, though sadly I don't have the time to look at this today. Perhaps we could open a bug against the node module and the comment module (if this patch is merged) and I'll have time to post a patch to fix both this weekend.
2. Fixed.
3. Fixed, I removed the useless 'status' colum and renamed 'new coments' to 'published comments'. I had originally nearly added filters like is done in the node module, an easy change, but held off as this patch is already so large.
4. Fixed, I have made it private. (The thinking behind having it public was to expand it to duplicate node_load which would be usable by other modules such as the spam module. For now it does so little that making it private is fine.)

Committed to HEAD. Thanks.

Attached patch fixes:
1. unnecesary db_escape_string($status). $status is an integer.
2. PHP constans are not resolved in strings, I believe current code won't work as expected.

Patch not tested.

Committed to HEAD. Thanks.