WordPress.org

Make WordPress Core

Opened 6 years ago

Last modified 6 weeks ago

#26807 new defect (bug)

Comments on private posts should also be private in admin depending on role

Reported by: dllh Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: Role/Capability Keywords: needs-patch
Focuses: Cc:

Description

Repro:

  1. As user X, create a private post.
  2. As user X, add a comment to the private post.
  3. As user Y with Contributor role, go to the comment listing screen.

Actual Result: Contributor user Y can see the post in the listing.

Expected: Comments on private posts should not be visible to users who don't have elevated capabilities. There's a potential here for information disclosure, as when a comment quotes content from the private post.

There's already a cap check in WP_Comments_List_Table::single_row(), so it seems like we could suppress display as well based on that check (in fact, I did so to test), though working out the counts for display above the table and for pagination will likely be a little more involved.

Attachments (1)

private-comments.png (319.9 KB) - added by dllh 6 years ago.
Logged in as contributor user, able to see private comment in list.

Download all attachments as: .zip

Change History (5)

@dllh
6 years ago

Logged in as contributor user, able to see private comment in list.

#1 @mordauk
5 years ago

Definitely something I think should be addressed.

I'm not immediately sure how to do it, but I'd propose that we modify the query so that comments on private posts are not returned in the query at all (if the user can't view the private posts).

#2 @johnbillion
5 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from trunk to 3.1

The ideal solution here would be a perm argument for WP_Comment_Query, similar to WP_Query, but I'm not sure how realistic that is.

#3 @chriscct7
4 years ago

  • Keywords needs-unit-tests added

#4 @chriscct7
4 years ago

  • Keywords needs-unit-tests removed
Note: See TracTickets for help on using tickets.