Users with edit_posts capability can see everyone's comments, IPs, and email addresses
|Reported by:||idahofallzcom||Owned by:||markjaquith|
|Severity:||normal||Keywords:||needs-patch reporter-feedback needs-testcase|
Description (last modified by markjaquith)
I've been fighting this problem for several weeks now. I've updated Role Manager to the new one (not the owen winkler version), and it also does not fix the problem.
Everyone above subscriber can click "comments" and see everyone's comments, email addresses, and IP addresses. This is a very BAD thing.
From what I've read, edit_posts for contributor and authors is supposed to only display the person's own comments. However this function is broken somehow and instead anyone can see everyone else's comments.
Mark Jaquith says:
It wasn't designed to restrict people with edit_posts from only being able to see the comments they can edit. That would require a slight tweak in the code.
Is this a core code issue or a plugin issue? I think it is core code.
This is very important for me to resolve because i've had to demote everyone on my blog to subscriber, and nobody is able to post anymore.
Change History (18)
- Description modified (diff)
- Owner changed from anonymous to markjaquith
- Severity changed from critical to major
- Status changed from new to assigned
- Summary changed from Everyone above subscriber sees everyone's comments, IPs, and emails to Users with edit_posts capability can see everyone's comments, IPs, and email addresses
- Type changed from defect to enhancement
- Milestone changed from 2.5 to 2.7
- Resolution fixed deleted
- Status changed from closed to reopened
- Version changed from 2.1.3 to 2.7
- Keywords needs-patch reporter-feedback needs-testcase added; comments edit_posts IP email privacy subscriber author role_manager removed
- Milestone 2.9 deleted
- Resolution set to fixed
- Status changed from reopened to closed