Opened 11 years ago
Last modified 6 years ago
#26807 new defect (bug)
Comments on private posts should also be private in admin depending on role
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.1 |
Component: | Role/Capability | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Repro:
- As user X, create a private post.
- As user X, add a comment to the private post.
- As user Y with Contributor role, go to the comment listing screen.
Actual Result: Contributor user Y can see the post in the listing.
Expected: Comments on private posts should not be visible to users who don't have elevated capabilities. There's a potential here for information disclosure, as when a comment quotes content from the private post.
There's already a cap check in WP_Comments_List_Table::single_row()
, so it seems like we could suppress display as well based on that check (in fact, I did so to test), though working out the counts for display above the table and for pagination will likely be a little more involved.
Attachments (1)
Change History (5)
#1
@
11 years ago
Definitely something I think should be addressed.
I'm not immediately sure how to do it, but I'd propose that we modify the query so that comments on private posts are not returned in the query at all (if the user can't view the private posts).
Logged in as contributor user, able to see private comment in list.