Title of private posts show up in dashboard

[McShelby]

When a user A logs in to Wordpress he cannot actually see the comments attached to a private post of some other user B, but he can see the title of the post on the Dashboard page. There's a link under "Latest Activity >> Comments" which shows the title of the private post which has recently had a comment attached to it. If user A clicks on the post title link, he correctly gets the 404 page. However the title of user B's private post was revealed.

[chess64]

Isn't this fixed already? The sql used is

$wpdb->get_results("SELECT ID, post_title FROM $wpdb->posts WHERE post_type = 'post' AND " . get_private_posts_cap_sql('post') . " AND post_date_gmt < '$today' ORDER BY post_date DESC LIMIT 5")

I'm pretty sure the get_private_posts_cap_sql('post') part does it.

[pishmishy]

Replying to chess64:

Isn't this fixed already? The sql used is...

That's only hides private posts from the dashboard. The attached patch uses the same techique you mention to hide comments on private posts from the dashboard too.

[westi]

Closing as fixed - the new dashboard recent-comments widget uses a normal WP_Query object asking for the rss2 comments feed and displays that which should therefore solve this issue.