query.php mistakenly uses is_admin() to check for admin privileges

[pishmishy]

1. Create a draft post
2. Log out
3. Visit ​http://yourblog.com/index.php/wp-admin/
   • is_admin() spots the wp-admin in the request and returns true
   • query.php uses is_admin() to decide to return future, draft or pending posts
4. Future, draft and pending posts are displayed.

This doesn't require the ' in the request string as reported on Bugtraq.

See ​http://www.securityfocus.com/archive/1/485252/30/0/threaded

12/22 additional disclosure, with trivial, popular example: ​http://www.blackhatdomainer.com/how-to-know-today-what-shoemoney-is-going-to-post-tomorrow/

See line 1172 of query.php for the misuse of is_admin()

Attached patch replaces is_admin() check with current_user_can('level_10'). Perhaps we could explicitly check the user's capabilities but I wasn't sure from the documentation which capabilities we should be looking at. Instead I've just checked if the user is the administrator or not.

What I did (Wordpress 2.3.1):

• Logged into wp-admin with Firefox.
• Created a new post called "DRAFT", with text "DRAFT"
• I saved it (but did not publish it)
• I opened another browser (Opera).
• I tried using the URL you had above (modified for my site) and it does not show me drafts.
• I tried adding the p=<post number> get argument, but I just get a blank page.

I cannot reproduce this problem.

Will the current_user_can() allow the author (possibly a non-admin) to view the draft post that he/she just wrote?

Ciao!

We do a current_user_can() check in the block of code already. is_admin() is used to see what context the user is in. Is the user in the admin? I think we need to retain is_admin() and have it check a constant set in admin.php to determine admin context.

Hmm, the current_user_can() check is just for private posts. I think we need both an is admin user and is in the admin checks.

Actually, edit-pages.php and edit.php filter the results of the is_admin() query. So I think all we need is a proper is_admin() check and not any cap checks.

New patch improves is_admin()

New patch improves is_admin().
Old patch was confused over why is_admin() was used in the first place.
Thanks to Austin Matzko from wp-hackers for the idea.

Looks good to me.

(In [6412]) Better is_admin() check from filosofo and pishmishy. fixes #5487

Replying to docwhat:

What I did (Wordpress 2.3.1):

Finally, someone posted what was missing. The unposted drafts have a date of something really old (1969 or 1999). You have to search back into the archive to find it.

Ciao!

(In [6442]) Better is_admin() check from filosofo and pishmishy. fixes #5487 for 2.3

Don't we need to fix this too?

$wp_query->is_admin (the var) is checked in some places and is still using the old logic instead of the is_admin() function. Shouldn't we fix that too? See patch.

(In [6509]) Use is_admin. Props markjaquith. see #5487

(In [6510]) Use is_admin. Props markjaquith. see #5487