Opened 11 years ago
Last modified 5 years ago
#25338 new enhancement
Comments of password-protected posts should not be shown to logged-in users without edit capability
Reported by: | kraftbj | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Comments | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Currently, if an user creates a password-protected post, Authors and lower roles cannot view the post neither on the front end nor in the backend, unless it was their own post (or they have the password).
However, they can see comments of those posts while viewing edit-comments.php.
Suggested that comments of password-protected posts should not be displayed to users without ability to view/edit the post in the admin.
Change History (2)
#1
@
11 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
- Type changed from defect (bug) to enhancement
#2
@
10 years ago
Hi. I added the condition on the joined table and the the comments with password protected fields get filtered out. Now, what remains is to set permissions. Who gets to see the comments and who doesn't? Anyone who can edit_posts
? But what if I am an author
who has locked the post? In this case, another author
can see the comments on my locked post. So, it's kind of a mess.
Personally, I am of the opinion that the comments should remain unseen always unless you are an editor
or above. I am open to other opinions.
Thanks for the report. At this time, it wouldn't be easy to filter out comments from password-protected posts because
get_comments()
is relatively decoupled from the state of whether or not a post requires a password.Technically-speaking, the most straightforward way to do this would be to join on the posts table and filter based on the value of the
post_password
column. The performance of this approach would need to be assessed. Additionally, I'd recommend this change be made withinWP_Comments_List_Table->prepare_items()
, instead of being added as a new feature ofWP_Comment_Query
. It's a better pattern to perform the capability check outside of the API.