WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 4 months ago

#50023 reopened enhancement

Facilitating the transparent editing of user comments by providing sane core defaults

Reported by: marciancarutasu Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.4
Component: Comments Keywords: needs-privacy-review
Focuses: privacy Cc:

Description

using blankslate theme over wp 5.4.
on post comments section, I have uploaded a new comment for testing purposes, without being logged into admin panel from an external gmail account.

in the admin panel,comments section, logged in as admin, I get the power to edit users comment and post on his behalf.

notice: website does not have users functionality, wp-admin I only have one user called admin.

edit a comment on users behalf??

Change History (32)

#1 @marciancarutasu
4 months ago

updated.
bug on any of 3 themes I tested.
admins can edit comments on users behalf.

#2 follow-up: @knutsp
4 months ago

  • Keywords close added
  • Version 5.4 deleted

Hello @marciancarutasu, welcome to Trac and thank you for the ticket.

WordPress is self hosted, the the admin owns the site wit all it's content.
Admin users can edit any content on a site. Even if WordPress did not allow it, they will usually also have access to alter the database content as they wish.

So this is how WordPress, and all self hosted software, work. The owner has all access.

#3 in reply to: ↑ 2 @marciancarutasu
4 months ago

Hi @knutsp . I totally agree but hear me out a bit. Admins own the site, but nobody has the ability to speak on my behalf.
a comment comming from "randomuser@…", if edited and moderated by an admin, that edit has to be visible. "edited by admin". Even that I think is 'illegal' in terms of privacy.

If I have 10 milion visitors a day, 1 milion of them could read something I have never said, or turn a bad review into a good one, but untrue and nobody would know.

Replying to knutsp:

Hello @marciancarutasu, welcome to Trac and thank you for the ticket.

WordPress is self hosted, the the admin owns the site wit all it's content.
Admin users can edit any content on a site. Even if WordPress did not allow it, they will usually also have access to alter the database content as they wish.

So this is how WordPress, and all self hosted software, work. The owner has all access.

#4 @marciancarutasu
4 months ago

@knutsp I believe a comment should be moderated for bad language, approved or dissaproved.
But edited on users behalf? how does fb work

#5 @marciancarutasu
4 months ago

that would be a core flaw in wordpress 5.4, as in I've tried this with multiple themes today.
could be something I dont know

#6 @marciancarutasu
4 months ago

t's privacy 101. If somebody tells me on facebook or instagram that I am ugly, I can delete a harmful comment but I cannot change it in how pretty I am.

#7 @knutsp
4 months ago

  • Keywords close removed
  • Resolution set to worksforme
  • Status changed from new to closed

I can at any time, anywhere on my domains, with WordPress, my software of any kind or plain html, create a user with your name and publish anything, not just comments, full articles and complete blogs, in your name and/or email. Very bad practice, and it could be illegal, but technically I can, regardless of potential limitations in WordPress.

Nothing can be done to prevent this techinically, given the open nature of the internet

Facebook is not self hosted software. It's controlled by Facebook. Believe me, they can edit your comments and posts there, if they so wish.

#8 @marciancarutasu
4 months ago

  • Keywords close added

A 10 year old can add a text input on a blog saying that "marciancarutasu@…" commented on my blog.Wohoo.
And indeed you could add a text with my email on your site and say "hi I am you".

In essence it wouldnt take more than 1 minute to look for the IP and see that I have never added that comment there.
But if I willingly submit a comment on the WWW using a form and my email address. (http responses, geolocation. etc.) it can be proven that indeed I have commented on your site then you absolutely do not have the power to change my words/opinion WITHOUT my consent. That's called I believe Defamation.

#9 @marciancarutasu
4 months ago

Last edited 4 months ago by marciancarutasu (previous) (diff)

#10 @marciancarutasu
4 months ago

worth looking into, I believe there must be a reason wordpress saves the IP of every comment.

#11 @SergeyBiryukov
4 months ago

#50024 was marked as a duplicate.

#13 @knutsp
4 months ago

  • Keywords close removed

There are many perfectly legitimate reasons to edit a visitor comment, like bad words, naming third person in personal attack, posting personal information of others, any breach site owner may not want. As visitors cannot edit their comment, admin may even be communicating with the commenter, agreeing upon editing.

If WordPress tried to forbid such editing, a simple plugin would reopen it, immediately.

As a site owner I expect the possibility to edit any content on my site. If you have problems, either stay away, contact me and/or even take legal action. I also write posts, sometimes even comments, on behalf of others. I then edit it as I please. I am responsible for what stays on my site. If I don't edit in some cases, I may be prosecuted or sued.

Such discussion of basic principles don't even belong here on Trac. If you want to go into deep argument, a well crafted blog post would be better.

#14 @marciancarutasu
4 months ago

But where should I leave this complaint?

I believe it is a big flaw, hear me out. I totally agree with you, all comments have to be moderated, approved or disapproved.
Another example: I have two pages on my site. A random non-registered user can randomly see a topic and leave a bad comment "I do not like your post."
Wordpress currently gives me to ability to edit that comment, "I do not like your post" becomes "I love your post." on your behalf, without your consent, without any form of report or notice and use it as a testimonial on my second page.

So if my second page hits 100mil views a day, 100mil people can see how much I personally love your post, but in fact I HATE it, and I wouldn't even see that's possible, I am not registered on your website, I just left a comment.

#15 @marciancarutasu
4 months ago

I maybe exagerating the issue, and under no circumstance am I implying WP is doing something illegal.This problem is on any theme that has comment functionality.
But that is indeed a flaw in the comments flow. Impersonating another human on the internet is a bad deed.

Last edited 4 months ago by marciancarutasu (previous) (diff)

#16 @carike
4 months ago

  • Keywords needs-privacy-review added
  • Resolution worksforme deleted
  • Status changed from closed to reopened
  • Summary changed from major core flaw in comments system found today 28 April 2020 16:00 GMT +3 to Facilitating the transparent editing of user comments by providing sane core defaults
  • Version set to 5.4

Hallo :)

While I fully agree that a site administrator can simply edit the MySQL database (and while I would not class this as a "security" issue):

I have not seen any valid reason that

  1. "Edited by {{username}} on {{date time}}" is not the sane default,
  2. or why the site administrator should not be provided with a field to add the reason for editing a comment,
  3. or why comment revisions should not be visible on WordPress by default.

Any or all measures above would go some way to providing a good faith effort to respect the agency of users to the millions of WordPress installations on the web.

#17 @marciancarutasu
4 months ago

@carike
It's a simple flaw, first time using TRAC, don't really know what I'm doing.
Surely, it concerns privacy.
I wouldn't like it if I left a "I don't like your product" comment on an E-SHOP, and two days later I would see that comment "I love your product" with MY name on it, no edit trace/report and no possibility to edit/delete it.

Comments can be used for testimonials and positive/negative adverstisement, so a harmful one can be deleted but not turned into a a positive one without any possibility for the comments owner to restore it in original form.

Indeed databases can be altered.

I am not registered on your website, but I do leave a comment. you can make it your own with my name on it and I have no possibility of editing it ever again.

I use WordPress for years now, I love it, was a friendly notice that got deleted immediately.

#18 @marciancarutasu
4 months ago

I am not technical enough to check this form https://laurabirsan.ro/wp-content/themes/blankslate/img/screenshot.png
If that Update request is made on marciancarutasu@…'s behalf it could lead to a security flaw as because that's a PUT/UPDATE request on a form. (a dumb theory but people here are smarter than me).

Lovely community.

#19 @marciancarutasu
4 months ago

the problem is for non-registered users mainly.
no biggie.

#20 @carike
4 months ago

Trac is for actionable proposals and (this is just the straight and honest truth and not meant to be harsh), the more you repeat the same arguments without providing something actionable (so: show who edited a comment at what time by default), the less core developers will pay any attention to what you say.

This does (at the very least tangentially) concern privacy, which is why I re-opened the ticket and why I added an additional workflow keyword.

The only way to achieve what you have in mind would be to embed the comment from an independent third party site that agrees not to edit your comments.

That's possible, but I don't know of such a service currently and it would require development and integration with the platform.

#21 @knutsp
4 months ago

  • Type changed from defect (bug) to enhancement

#22 @apedog
4 months ago

Actionable suggestion:
In the 'Save' metabox - when editing a comment a checkbox would appear "Mark comment as edited by Admin" (or something to that effect).

Checkbox could be checked by default, when editing a comment. Unchecking the box before saving would still allow an admin to edit a comment without advertising this on the front-end.

It would be up to the theme template to display a relevant "This comment was edited by Admin" notice with that comment through a filterable template-tag comment_edit_status() (or something to that effect).

#23 @paapst
4 months ago

Not so sure that this really is a Privacy issue. The big legal issue here seems to be Freedom of speech and/or the right to protect a good name versus the rights (and responsibilities) of the Site owner. I agree with @knutsp , we should not use Trac for those kind of discussions. Yes, I do believe that there are rogue admins that will edit comments "on your behalf", changing a bad review into a positive one, however that kind of behaviour will still happen after we implement (some of) the suggestions done in this ticket.

This ticket was mentioned in Slack in #core-privacy by paapst. View the logs.


4 months ago

#25 @marciancarutasu
4 months ago

@paapst surely, it is better to avoid such things.

#26 @marciancarutasu
4 months ago

db stores comment author ip, user agent, name, email, actual comment, and a created_at field and some other info by default.
but if an admin edits the comment there is no proof in the db that the admin edited the comment, by default, it leaves it as the initial author.

#27 @carike
4 months ago

So let's try to turn that into an actionable (sub-)proposal ;)

What additional information would you suggest the database should save as it relates to comment edits?

Just a note: Don't feel pressured to reply immediately.
You can think about it for a day or two, if that helps.

#28 @marciancarutasu
4 months ago

@carike thanks for the help.
created_at, updated_at should be defaults for all fields, edited_by would be a improvement.

@apedog gave a good solution

#29 @marciancarutasu
4 months ago

  • Severity changed from major to normal

#30 @marciancarutasu
4 months ago

  • Focuses coding-standards added

#31 follow-up: @ocean90
4 months ago

  • Focuses coding-standards removed

This sounds like a duplicate of #21834.

#32 in reply to: ↑ 31 @marciancarutasu
4 months ago

new here Replying to ocean90:

This sounds like a duplicate of #21834.

Note: See TracTickets for help on using tickets.