#27132 closed defect (bug) (fixed)
Activity module shown by default for 'subscribers' includes scheduled posts
Reported by: | kirrus | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 3.8.2 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch |
Focuses: | ui, administration | Cc: |
Description
A subscriber can see upcoming posts in their wp-admin page;
https://twitter.com/ActionBcool/status/434710377419378689
This is a problem for this specific site, because it can expose embargoed information, and get them into a lot of trouble. There doesn't appear to be a way to disable this function without a plugin currently.
I'm not sure if this is a bug (information disclosure), or a feature request (please can you make it optional?).
Attachments (5)
Change History (14)
#2
@
11 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to 3.8.2
- Type changed from feature request to defect (bug)
Confirmed.
In addition, the links for each post (which is an 'edit' link) do not have capability checks in place, resulting in dead links for users who cannot edit the posts.
#3
@
11 years ago
- Keywords has-patch added; needs-patch removed
In the attached patch I've encapsulated the query for future posts in a current_user_can condition.
#4
@
11 years ago
kirrus: You should be able to use remove_meta_box()
to get rid of it in the interim - can dig up some code if you'd like.
jackreichert: I'd probably just move the wp_add_dashboard_widget()
call up a few lines to be within the same conditional as Right Now, as I don't see anything particularly valuable for somebody who can't edit posts. That said, though, there should also be various cap checks within the widget itself, since people can be doing any number of things with caps and roles.
#5
@
11 years ago
Thanks for the feedback helen. Instead of moving the function call up I put a condition around it to keep the order of the contents intact.
I'll look into more roles for the functions now.
#6
@
11 years ago
So, the widget wp_dashboard_site_activity() uses two functions:
- wp_dashboard_recent_posts()
- wp_dashboard_recent_comments()
The latter actually does have roles in place. It will only preview the comment if the person has permission to read the post, and will only show "approve" option if they can edit it.
So I'm not sure that my second patch is actually relevant. Thoughts?
#7
@
11 years ago
Instead of skipping future posts that can't be edited within the loop, we can pass the permissions to the query. I have added a patch that does this - for future posts I am using editable
, and others readable
.
Also, the patch removes broken edit links for posts the user cannot edit. This is repeated for comments also.
It's worth noting, that in order to disable, I've had to use a plugin that locks subscribers to profile.php, which means they no-longer see the warning about using the default generated password.