WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 6 years ago

#16134 closed defect (bug) (fixed)

Check capabilities/role before adding comment links to email

Reported by: GaryJ Owned by:
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0.4
Component: Comments Keywords: has-patch needs-refresh
Focuses: Cc:

Description

Currently the Trash it, Delete it, Spam it are added to comment notifcation emails, which are sent to the author.

However, the author may have had their role changed down to a lower-role (or had capability removed) since they wrote the post, and no longer would have permissions to use the links added to the email.

It may also be the case that a subscriber user was assigned as the Post Author (perhaps as a sort of Guest Author) for a post, and never had the permissions to use those links.

Can some sort of check be added, before these links be added to the email?

Attachments (1)

16134.patch (1.4 KB) - added by solarissmoke 11 years ago.
Check that a post author still has permissions to edit comments before inserting spam/trash links into notification email

Download all attachments as: .zip

Change History (14)

#1 @solarissmoke
11 years ago

Think this should be relatively easy to do, here's a patch that works for me.

#2 @solarissmoke
11 years ago

  • Keywords has-patch dev-feedback added; needs-patch removed

@solarissmoke
11 years ago

Check that a post author still has permissions to edit comments before inserting spam/trash links into notification email

#3 @dd32
11 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release

#4 follow-up: @tislam100
11 years ago

I tried your patch by making a plugin. Now, whenever I post a comment I get a blank page. here is the link to the plugin:

http://pastebin.com/9zeAecXj

#5 in reply to: ↑ 4 @solarissmoke
11 years ago

  • Keywords dev-feedback removed

Replying to tislam100:

I tried your patch by making a plugin. Now, whenever I post a comment I get a blank page.

Works fine for me. Are you using trunk?

#6 @tislam100
11 years ago

What is trunk? Did you try the plugin I made? Maybe there is a bug in the plugin. can you take a look at it?

Thank you.

#7 @solarissmoke
11 years ago

Trunk is the latest development version of Wordpress, as opposed to the latest stable version. The patch (and your plugin) will not work in Wordpress 3.0.5 because it uses the user_can() function is new to Wordpress 3.1. It works in 3.1 however.

#8 @tislam100
11 years ago

any alternative to user_can() that works in wordpress 3.0.5?
Can it be done with user role?

Thanks

#9 @solarissmoke
11 years ago

This is going off-topic for this ticket. Please lets take this to #wordpress IRC or the support forums.

#10 @tislam100
11 years ago

yeah. you are right. I am sorry.

#11 @sillybean
8 years ago

  • Cc steph@… added

#12 @rachelbaker
6 years ago

  • Keywords needs-refresh added; 3.2-early removed

#13 @wonderboymusic
6 years ago

  • Milestone changed from Future Release to 3.1
  • Resolution set to fixed
  • Status changed from new to closed

Since [16223], the post_author doesn't even get the email if they don't pass user_can( $user->ID, 'edit_comment', $comment_id ) - which is the same check the proposed patch suggests.

Note: See TracTickets for help on using tickets.