WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

Last modified 7 months ago

#101 closed defect (bug) (fixed)

Security Breach: Editing off others posts with Level 1

Reported by: anonymousbugger Owned by: michel v
Milestone: Priority: normal
Severity: major Version: 1.2
Component: General Keywords:
Focuses: Cc:

Description

If there are several users set to level one they can edit all posts by every user at this level. On the blog there is always the "edit this" link and administration doesn't validate too.

Change History (6)

comment:2 @anonymousbugger11 years ago

I have fixed it with adding something like:

if (($user_level == 1
$user_level == 2) && ($authordata->ID != $user_ID ))

return / die;

to wp-includes/template-functions-links.php function function edit_post_link and to file wp-admin/post.php in the edit-part.

comment:3 @michel v11 years ago

  • Owner changed from anonymous to michel v
  • Resolution changed from 10 to 20
  • Status changed from new to closed

comment:5 @slackbot7 months ago

This ticket was mentioned in Slack in #forums by ipstenu. View the logs.

comment:6 @slackbot7 months ago

This ticket was mentioned in Slack in #forums by ipstenu. View the logs.

Note: See TracTickets for help on using tickets.