diff --git a/core/frontend/src/admin-auth/message-handler.js b/core/frontend/src/admin-auth/message-handler.js
index 2d5e0e97a3..b70f430aa2 100644
--- a/core/frontend/src/admin-auth/message-handler.js
+++ b/core/frontend/src/admin-auth/message-handler.js
@@ -34,7 +34,10 @@ window.addEventListener('message', async function (event) {
             const res = await fetch('https://admin.egg/blog/ghost/api/canary/admin/comments/' + data.id + '/', {
                 method: 'PUT',
                 body: JSON.stringify({
-                    status: 'hidden'
+                    comments: [{
+                        id: data.id,
+                        status: 'hidden'
+                    }]
                 }),
                 headers: {
                     'Content-Type': 'application/json'
@@ -52,7 +55,10 @@ window.addEventListener('message', async function (event) {
             const res = await fetch('https://admin.egg/blog/ghost/api/canary/admin/comments/' + data.id + '/', {
                 method: 'PUT',
                 body: JSON.stringify({
-                    status: 'published'
+                    comments: [{
+                        id: data.id,
+                        status: 'published'
+                    }]
                 }),
                 headers: {
                     'Content-Type': 'application/json'
diff --git a/core/server/api/endpoints/comments.js b/core/server/api/endpoints/comments.js
new file mode 100644
index 0000000000..346396786a
--- /dev/null
+++ b/core/server/api/endpoints/comments.js
@@ -0,0 +1,25 @@
+const models = require('../../models');
+
+module.exports = {
+    docName: 'comments',
+
+    edit: {
+        options: [
+            'id'
+        ],
+        validation: {
+            options: {
+                id: {
+                    required: true
+                }
+            }
+        },
+        permissions: true,
+        query(frame) {
+            return models.Comment.edit({
+                id: frame.data.comments[0].id,
+                status: frame.data.comments[0].status
+            }, frame.options);
+        }
+    }
+};
diff --git a/core/server/api/endpoints/index.js b/core/server/api/endpoints/index.js
index 9e2099cb2c..60cd516535 100644
--- a/core/server/api/endpoints/index.js
+++ b/core/server/api/endpoints/index.js
@@ -181,6 +181,10 @@ module.exports = {
         return shared.pipeline(require('./newsletters'), localUtils);
     },
 
+    get comments() {
+        return shared.pipeline(require('./comments'), localUtils);
+    },
+
     /**
      * Content API Controllers
      *
diff --git a/core/server/models/comment.js b/core/server/models/comment.js
index b1a4335a9b..4fdc647f36 100644
--- a/core/server/models/comment.js
+++ b/core/server/models/comment.js
@@ -70,6 +70,10 @@ const Comment = ghostBookshelf.Model.extend({
     async permissible(commentModelOrId, action, context, unsafeAttrs, loadedPermissions, hasUserPermission, hasApiKeyPermission, hasMemberPermission) {
         const self = this;
 
+        if (hasUserPermission) {
+            return true;
+        }
+
         if (_.isString(commentModelOrId)) {
             // Grab the original args without the first one
             const origArgs = _.toArray(arguments).slice(1);
diff --git a/core/server/web/api/endpoints/admin/routes.js b/core/server/web/api/endpoints/admin/routes.js
index ab46cf951c..c8ba0b3ed9 100644
--- a/core/server/web/api/endpoints/admin/routes.js
+++ b/core/server/web/api/endpoints/admin/routes.js
@@ -31,6 +31,8 @@ module.exports = function apiRoutes() {
     router.put('/posts/:id', mw.authAdminApi, http(api.posts.edit));
     router.del('/posts/:id', mw.authAdminApi, http(api.posts.destroy));
 
+    router.put('/comments/:id', mw.authAdminApi, http(api.comments.edit));
+
     // ## Pages
     router.get('/pages', mw.authAdminApi, http(api.pages.browse));
     router.post('/pages', mw.authAdminApi, http(api.pages.add));