I was under the impression that only admins/editor roles can approve comments however our authors are able to do so as well on their own posts. I want to disable the ability for an author to approve comments on their posts.
Under dashboard settings > discussions >
Before a comment appears–
Selected: Comment must be manually approved
Unselected: Comment author must have a previously approved comment
The ability to set comment status is tied to the “edit_comment” capability, which is a meta-capability in WordPress. It maps to the “edit_post” capability, which is another meta-capability that varies depending on whether a post is published or not.
In the end, if a post is published, then edit_comment ends up mapping to “edit_published_posts” for the post_author, or “edit_others_posts” for people who are not the post author. Meaning that yes, people marked as Author have the ability to moderate comments on their own posts, but not across the board like people with the “moderate_comments” capability would.
As this is hardcoded (as all meta-caps are), you would need to add an additional filter to turn it off. It’s not something you can adjust with a role manager plugin.
A simpler way would be to make those people not Authors, but Contributors instead. As Authors already have the ability to “publish_posts” on their own, and thus add content to the site without additional approval, they are expected to be trusted users in the sense that they can add content and thus able to approve comments.
Another way would be to remove the “edit_published_posts” from the Author, but this would also disallow them from editing content once it has been published. Again, this makes sense, if they can’t be trusted to show comments, then they shouldn’t be trusted to change already published content either.
It all really depends on trust and what you want to allow people to do. The system is consistent as it is now, in terms of security.
According to the Codex: Roles_and_Capabilities both the Admin and Editor roles have the capability of managing comments.
At the bottom of that Codex page under Resources there are a few plugins listed for easily changing the capabilities of user roles ( other than Administrator ) and there are references to functions you can use to change the capabilities of a specific role.