WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 4 years ago

#16134 closed defect (bug) (fixed)

Check capabilities/role before adding comment links to email

Reported by: GaryJ Owned by:
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.0.4
Component: Comments Keywords: has-patch needs-refresh
Focuses: Cc:

Description

Currently the Trash it, Delete it, Spam it are added to comment notifcation emails, which are sent to the author.

However, the author may have had their role changed down to a lower-role (or had capability removed) since they wrote the post, and no longer would have permissions to use the links added to the email.

It may also be the case that a subscriber user was assigned as the Post Author (perhaps as a sort of Guest Author) for a post, and never had the permissions to use those links.

Can some sort of check be added, before these links be added to the email?

Attachments (1)

16134.patch (1.4 KB) - added by solarissmoke 9 years ago.
Check that a post author still has permissions to edit comments before inserting spam/trash links into notification email

Download all attachments as: .zip

Change History (14)

#1 @solarissmoke
9 years ago

Think this should be relatively easy to do, here's a patch that works for me.

#2 @solarissmoke
9 years ago

  • Keywords has-patch dev-feedback added; needs-patch removed

@solarissmoke
9 years ago

Check that a post author still has permissions to edit comments before inserting spam/trash links into notification email

#3 @dd32
9 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release

#4 follow-up: @tislam100
9 years ago

I tried your patch by making a plugin. Now, whenever I post a comment I get a blank page. here is the link to the plugin:

http://pastebin.com/9zeAecXj

#5 in reply to: ↑ 4 @solarissmoke
9 years ago

  • Keywords dev-feedback removed

Replying to tislam100:

I tried your patch by making a plugin. Now, whenever I post a comment I get a blank page.

Works fine for me. Are you using trunk?

#6 @tislam100
9 years ago

What is trunk? Did you try the plugin I made? Maybe there is a bug in the plugin. can you take a look at it?

Thank you.

#7 @solarissmoke
9 years ago

Trunk is the latest development version of Wordpress, as opposed to the latest stable version. The patch (and your plugin) will not work in Wordpress 3.0.5 because it uses the user_can() function is new to Wordpress 3.1. It works in 3.1 however.

#8 @tislam100
9 years ago

any alternative to user_can() that works in wordpress 3.0.5?
Can it be done with user role?

Thanks

#9 @solarissmoke
9 years ago

This is going off-topic for this ticket. Please lets take this to #wordpress IRC or the support forums.

#10 @tislam100
9 years ago

yeah. you are right. I am sorry.

#11 @sillybean
6 years ago

  • Cc steph@… added

#12 @rachelbaker
4 years ago

  • Keywords needs-refresh added; 3.2-early removed

#13 @wonderboymusic
4 years ago

  • Milestone changed from Future Release to 3.1
  • Resolution set to fixed
  • Status changed from new to closed

Since [16223], the post_author doesn't even get the email if they don't pass user_can( $user->ID, 'edit_comment', $comment_id ) - which is the same check the proposed patch suggests.

Note: See TracTickets for help on using tickets.