Hurumph. I had the same problem, which means any logged-in user could edit all the comments, regardless of role.
For those who want the solution, here it is In the file /wp-ajax-edit-comments/lib/class.filters.php replace everything starting at line 76 through to the end of the "if (!AEC.." statement ending on line 96 with the code from pastebin. Use at your own risk. Admin roles can edit everything, original comment authors can only edit their own and anonymous editing still works.
Here is what I changed:
- Added "is_user_logged_in" to the top which is where logged in users were getting all their links from. (Discussed below)
- For logged in users, compared the comment owner ID against the logged in user ID or checked for admins.
The crazy thing is that the original code should work! At the top of the IF statement it calls "AECCore::is_comment_owner" which then calls a WordPress function "current_user_can ('edit_post'..". But for a logged-in user who is the owner of the comment, that call "current_user_can" doesn't return true. It should. What's even more odd is that an anonymous user gets a true back. It shouldn't. (Latest version V3.4.1) I am stumped and I tested a lot of variants, for example "current_user_can ('edit_comment'..." doesn't return true either and yet the current comment and user objects on the page all look correct.
My first guess is a problem with context, or unexposed globals, but those all work when I referenced them directly.
There have been other comments in the forum here where they say that editing is based on IP, as in, if you log in with a different user from the same IP, it gives them access to editing. This hasn't been my experience, as I tried the site from a different IP with a different user and got the same all-access-editing pass. The fix above worked from the same IP anyway.