WordPress.org

Make WordPress Core

Opened 11 days ago

Closed 8 days ago

Last modified 7 days ago

#44055 closed defect (bug) (fixed)

Don't show notice to the privacy policy guide when user cannot view the guide

Reported by: ocean90 Owned by: azaozz
Milestone: 4.9.6 Priority: high
Severity: normal Version: trunk
Component: Privacy Keywords: gdpr dev-reviewed
Focuses: Cc:

Description

The privacy policy guide is only viewable if current_user_can( 'manage_privacy_options' ) but WP_Privacy_Policy_Content::notice() has no such check, leading an editor to an empty page.

Change History (13)

#1 @azaozz
10 days ago

  • Priority changed from normal to high

I'm actually not sure if editors on "single" installs should not be able to see the privacy policy guide? Generally they are trusted as much as admins (have unfiltered_html capability, etc.).

In any case, the notice should have the same capability requirement as the guide.

Last edited 10 days ago by azaozz (previous) (diff)

#2 @azaozz
10 days ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 43248:

Privacy: require manage_privacy_options capability for showing WP_Privacy_Policy_Content::notice().

Props ocean90.
Fixes #44055.

#3 @azaozz
10 days ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopen for 4.9.6 consideration.

#4 @azaozz
10 days ago

  • Keywords fixed-major commit added; needs-patch removed

#5 @iandunn
10 days ago

  • Keywords 2nd-opinion added

Hmm, should editors be allowed to edit the wp_page_for_privacy_policy ? I'm guessing no, so maybe a better solution to this would be to add a map_meta_cap callback that makes current_user_can( 'edit_post', get_option( 'wp_page_for_privacy_policy' ) ) return false?

This ticket was mentioned in Slack in #core by desrosj. View the logs.


9 days ago

#7 @iandunn
9 days ago

  • Keywords 2nd-opinion removed

I opened #44079 to track the suggestion in comment:5. If we can get that in before the RC2 deadline, then there's no need to backport r43248. Otherwise, I don't have any objection to backporting it (although I haven't reviewed it yet, so it'll still need a review and sign-off from a 2nd committer).

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.


9 days ago

#9 @iandunn
9 days ago

  • Keywords dev-feedback added

This ticket was mentioned in Slack in #gdpr-compliance by azaozz. View the logs.


8 days ago

#11 @iandunn
8 days ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43277:

Privacy: require manage_privacy_options capability for showing WP_Privacy_Policy_Content::notice().

Props ocean90.
Merges [43248] to the 4.9 branch.
Fixes #44055.

#12 @iandunn
8 days ago

  • Keywords dev-reviewed added; fixed-major commit dev-feedback removed

Nevermind regarding comment:7, it's a good idea to leave the cap check, see ticket:44079#comment:7.

#13 @desrosj
7 days ago

  • Component changed from Administration to Privacy

Moving to the new Privacy component.

Note: See TracTickets for help on using tickets.