WordPress.org

Make WordPress Core

Opened 13 months ago

Last modified 13 months ago

#23939 new defect (bug)

Wrong capability check in wp_ajax_replyto_comment

Reported by: fgauthier Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.1
Component: Comments Keywords: has-patch
Focuses: Cc:

Description

The wp_ajax_replyto_comment function in the wp-admin/includes/ajax-actions.php checks the "edit-post" capability instead of the "edit-comment" capability.

Attached a tested patch.

Attachments (2)

23939.patch (446 bytes) - added by ocean90 13 months ago.
wp_ajax_replyto_comment.patch (874 bytes) - added by fgauthier 13 months ago.
Replaces the "edit_post" capability by the "edit_comment" capability in wp_ajax_replyto_comment

Download all attachments as: .zip

Change History (12)

comment:1 nacin13 months ago

edit_post is proper here. The question is, can they edit the post to which they are posting a comment? Yes, they can. And because of that, they are allowed to reply from the admin. edit_comment would only make sense if we had a comment to check against. Here, we have a post to check against.

comment:2 fgauthier13 months ago

I may be confused, but wp_ajax_replyto_comment is called from the admin -> comments console when the admin clicks the reply link of a comment, not a post.

This function allows the admin to reply to a comment and potentially approve the comment to which he is replying to. It seems to me that we have a comment to check against, not a post.

Also, approving comments in wp-admin/edit-comments.php requires the "edit_comment" capability, not "edit_post".

Last edited 13 months ago by fgauthier (previous) (diff)

ocean9013 months ago

comment:3 ocean9013 months ago

See 23939.patch, we are checking against a post id, not a comment id.

fgauthier13 months ago

Replaces the "edit_post" capability by the "edit_comment" capability in wp_ajax_replyto_comment

comment:4 fgauthier13 months ago

I see, thanks for the explanation.

Then I guess my question is, why don't we check the comment ID instead? It would make more sense in IMHO given that this function approves comments.

I updated the patch to check the comment id instead of the post id.

comment:5 follow-up: ocean9013 months ago

Because the parent comment will be approved when you reply to it. And you are only allowed to change a status of a comment if you can edit the post to which the comment was posted.

comment:6 in reply to: ↑ 5 ; follow-up: nacin13 months ago

Replying to ocean90:

Because the parent comment will be approved when you reply to it. And you are only allowed to change a status of a comment if you can edit the post to which the comment was posted.

Yeah... So, there should probably be a edit_comment check on the comment to which the user is replying. This maps to the exact same edit_post check, but who knows what a plugin may be doing with it.

comment:7 in reply to: ↑ 6 fgauthier13 months ago

Replying to nacin:

Replying to ocean90:

Because the parent comment will be approved when you reply to it. And you are only allowed to change a status of a comment if you can edit the post to which the comment was posted.

Yeah... So, there should probably be a edit_comment check on the comment to which the user is replying. This maps to the exact same edit_post check, but who knows what a plugin may be doing with it.

I agree and it would be consistent with wp-admin/edit-comments.php where both the edit_posts AND edit_comment are checked before the approval of a comment.

comment:8 follow-up: SergeyBiryukov13 months ago

  • Version changed from trunk to 2.7

Has been this way since the feature was introduced in [8720].

comment:9 in reply to: ↑ 8 fgauthier13 months ago

Replying to SergeyBiryukov:

Has been this way since the feature was introduced in [8720].

Yeah, but in ticket:14520 and [15596], the edit_comment capability was introduced in edit-comment.php to replace edit_post. The wp_ajax_replyto_comment function performs similar operations but is still protected by the edit_post capability.

comment:10 SergeyBiryukov13 months ago

  • Version changed from 2.7 to 3.1
Note: See TracTickets for help on using tickets.