WordPress.org

Make WordPress Core

Opened 7 months ago

Last modified 2 months ago

#25338 new enhancement

Comments of password-protected posts should not be shown to logged-in users without edit capability

Reported by: kraftbj Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Comments Keywords: needs-patch
Focuses: Cc:

Description

Currently, if an user creates a password-protected post, Authors and lower roles cannot view the post neither on the front end nor in the backend, unless it was their own post (or they have the password).

However, they can see comments of those posts while viewing edit-comments.php.

Suggested that comments of password-protected posts should not be displayed to users without ability to view/edit the post in the admin.

Change History (1)

comment:1 danielbachhuber2 months ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Type changed from defect (bug) to enhancement

Thanks for the report. At this time, it wouldn't be easy to filter out comments from password-protected posts because get_comments() is relatively decoupled from the state of whether or not a post requires a password.

Technically-speaking, the most straightforward way to do this would be to join on the posts table and filter based on the value of the post_password column. The performance of this approach would need to be assessed. Additionally, I'd recommend this change be made within WP_Comments_List_Table->prepare_items(), instead of being added as a new feature of WP_Comment_Query. It's a better pattern to perform the capability check outside of the API.

Note: See TracTickets for help on using tickets.