WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#27132 closed defect (bug) (fixed)

Activity module shown by default for 'subscribers' includes scheduled posts

Reported by: kirrus Owned by: johnbillion
Milestone: 3.8.2 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch
Focuses: ui, administration Cc:

Description

A subscriber can see upcoming posts in their wp-admin page;
https://twitter.com/ActionBcool/status/434710377419378689

This is a problem for this specific site, because it can expose embargoed information, and get them into a lot of trouble. There doesn't appear to be a way to disable this function without a plugin currently.

I'm not sure if this is a bug (information disclosure), or a feature request (please can you make it optional?).

Attachments (5)

dashboard.php.diff (1018 bytes) - added by jackreichert 7 years ago.
Encapsulates the future activity in capabilities condition
dashboard.php1.diff (1.4 KB) - added by jackreichert 7 years ago.
Condition added around wp_dashboard_recent_comments
dashboard.php2.diff (605 bytes) - added by jackreichert 7 years ago.
This hides future posts form inside wp_dashboard_recent_posts()
27132.diff (2.3 KB) - added by mattheu 7 years ago.
Alternative approach + don't display edit links if can't edit.
27132-2.diff (2.3 KB) - added by mattheu 7 years ago.
Fix uneccessary quotes

Download all attachments as: .zip

Change History (14)

#1 @kirrus
7 years ago

It's worth noting, that in order to disable, I've had to use a plugin that locks subscribers to profile.php, which means they no-longer see the warning about using the default generated password.

#2 @johnbillion
7 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 3.8.2
  • Type changed from feature request to defect (bug)

Confirmed.

In addition, the links for each post (which is an 'edit' link) do not have capability checks in place, resulting in dead links for users who cannot edit the posts.

@jackreichert
7 years ago

Encapsulates the future activity in capabilities condition

#3 @jackreichert
7 years ago

  • Keywords has-patch added; needs-patch removed

In the attached patch I've encapsulated the query for future posts in a current_user_can condition.

#4 @helen
7 years ago

kirrus: You should be able to use remove_meta_box() to get rid of it in the interim - can dig up some code if you'd like.

jackreichert: I'd probably just move the wp_add_dashboard_widget() call up a few lines to be within the same conditional as Right Now, as I don't see anything particularly valuable for somebody who can't edit posts. That said, though, there should also be various cap checks within the widget itself, since people can be doing any number of things with caps and roles.

@jackreichert
7 years ago

Condition added around wp_dashboard_recent_comments

#5 @jackreichert
7 years ago

Thanks for the feedback helen. Instead of moving the function call up I put a condition around it to keep the order of the contents intact.

I'll look into more roles for the functions now.

#6 @jackreichert
7 years ago

So, the widget wp_dashboard_site_activity() uses two functions:

  • wp_dashboard_recent_posts()
  • wp_dashboard_recent_comments()

The latter actually does have roles in place. It will only preview the comment if the person has permission to read the post, and will only show "approve" option if they can edit it.

So I'm not sure that my second patch is actually relevant. Thoughts?

@jackreichert
7 years ago

This hides future posts form inside wp_dashboard_recent_posts()

@mattheu
7 years ago

Alternative approach + don't display edit links if can't edit.

#7 @mattheu
7 years ago

Instead of skipping future posts that can't be edited within the loop, we can pass the permissions to the query. I have added a patch that does this - for future posts I am using editable, and others readable.

Also, the patch removes broken edit links for posts the user cannot edit. This is repeated for comments also.

@mattheu
7 years ago

Fix uneccessary quotes

#8 @johnbillion
7 years ago

  • Owner set to johnbillion
  • Resolution set to fixed
  • Status changed from new to closed

In 27596:

Introduce permission checks for post queries and edit links in the At a Glance dashboard widget. Fixes #27132. Props mattheu.

#9 @nacin
7 years ago

In 27613:

Skipping placeholders in a string will only catch translators off guard.

see #27453, #27132.

Note: See TracTickets for help on using tickets.