WordPress.org

Make WordPress Core

Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#44055 closed defect (bug) (fixed)

Don't show notice to the privacy policy guide when user cannot view the guide

Reported by: ocean90 Owned by: azaozz
Milestone: 4.9.6 Priority: high
Severity: normal Version: 5.1
Component: Privacy Keywords: gdpr dev-reviewed
Focuses: Cc:
PR Number:

Description

The privacy policy guide is only viewable if current_user_can( 'manage_privacy_options' ) but WP_Privacy_Policy_Content::notice() has no such check, leading an editor to an empty page.

Change History (13)

#1 @azaozz
17 months ago

  • Priority changed from normal to high

I'm actually not sure if editors on "single" installs should not be able to see the privacy policy guide? Generally they are trusted as much as admins (have unfiltered_html capability, etc.).

In any case, the notice should have the same capability requirement as the guide.

Last edited 17 months ago by azaozz (previous) (diff)

#2 @azaozz
17 months ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 43248:

Privacy: require manage_privacy_options capability for showing WP_Privacy_Policy_Content::notice().

Props ocean90.
Fixes #44055.

#3 @azaozz
17 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopen for 4.9.6 consideration.

#4 @azaozz
17 months ago

  • Keywords fixed-major commit added; needs-patch removed

#5 @iandunn
17 months ago

  • Keywords 2nd-opinion added

Hmm, should editors be allowed to edit the wp_page_for_privacy_policy ? I'm guessing no, so maybe a better solution to this would be to add a map_meta_cap callback that makes current_user_can( 'edit_post', get_option( 'wp_page_for_privacy_policy' ) ) return false?

This ticket was mentioned in Slack in #core by desrosj. View the logs.


17 months ago

#7 @iandunn
17 months ago

  • Keywords 2nd-opinion removed

I opened #44079 to track the suggestion in comment:5. If we can get that in before the RC2 deadline, then there's no need to backport r43248. Otherwise, I don't have any objection to backporting it (although I haven't reviewed it yet, so it'll still need a review and sign-off from a 2nd committer).

This ticket was mentioned in Slack in #gdpr-compliance by allendav. View the logs.


17 months ago

#9 @iandunn
17 months ago

  • Keywords dev-feedback added

This ticket was mentioned in Slack in #gdpr-compliance by azaozz. View the logs.


17 months ago

#11 @iandunn
17 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 43277:

Privacy: require manage_privacy_options capability for showing WP_Privacy_Policy_Content::notice().

Props ocean90.
Merges [43248] to the 4.9 branch.
Fixes #44055.

#12 @iandunn
17 months ago

  • Keywords dev-reviewed added; fixed-major commit dev-feedback removed

Nevermind regarding comment:7, it's a good idea to leave the cap check, see ticket:44079#comment:7.

#13 @desrosj
17 months ago

  • Component changed from Administration to Privacy

Moving to the new Privacy component.

Note: See TracTickets for help on using tickets.