#50024 closed defect (bug) (duplicate)
comments section bug
Reported by: | marciancarutasu | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | |
Component: | Comments | Keywords: | |
Focuses: | privacy | Cc: |
Description
admins can edit comments on users behalf without their consent.
I comment from "marciancarutasu@…", "I do not like your food" admin currently have the ability to change it into: "I love your food".
No comment has been edited flag.
On a larger scale can become a major security flaw.
facebook allows comments to be approved or dissaproved, deleted even but not edited.
Change History (9)
#1
@
5 years ago
- Milestone Awaiting Review deleted
- Resolution set to duplicate
- Status changed from new to closed
#2
@
5 years ago
Was this previously reported by other users? I am not technical enough to check if there is an PUT/UPDATE request from admin pane on behalf of another human.
impersonating is a bad deed, wordpress is leaving millions of doors open for that currently.
#3
@
5 years ago
moderator did not take the issue seriously.I find it critical to wordpresses image.
it can lead to defamation, impersonating and even it could be a big security flaw.
#4
@
5 years ago
@marciancarutasu
Please do not create duplicate tickets.
I see that you created three with privacy as a keyword and all of them address exactly the same issue.
If it continues after a couple of requests not to, your ability to post tickets will have to be removed (because spam is not cool) and that would suck.
A number of people will look at a ticket (within their particular area of interest) and a ticket being closed isn't final. It can be re-opened if others disagree.
#6
@
5 years ago
@marciancarutasu
The WordPress.org project welcomes input and discussion.
Things just need to happen in a particular way so that the right people can (quickly) be able to see the information that they need to see.
If you write three new posts in the time it takes me to respond to you, for example, that causes an issue, because a core dev thinks "oh, a discussion about Trac etiquette" and moves on to the next ticket.
If you need help making a proposal actionable for Trac, please post here:
https://wordpress.org/support/forum/miscellaneous/
One of the forum volunteers can help you figure out how to best present your issue / proposal.
You can also join Slack to brainstorm possible solutions before creating a proposal on Trac:
https://make.wordpress.org/chat/
#7
follow-up:
↓ 8
@
5 years ago
db stores comment author ip, user agent, name, email, actual comment, and a created_at field and some other info by default.
but if an admin edits the comment there is no proof in the db that the admin edited the comment, by default, it leaves it as the initial author.
#8
in reply to:
↑ 7
@
5 years ago
Replying to marciancarutasu:
db stores comment author ip, user agent, name, email, actual comment, and a created_at field and some other info by default.
but if an admin edits the comment there is no proof in the db that the admin edited the comment, by default, it leaves it as the initial author.
We all understand the issue, @marciancarutasu. Let's keep the discussion to the original ticket (#50023).
Hi there, welcome to WordPress Trac! Thanks for the report.
This is essentially the same issue as previously reported in #50023, let's continue the discussion there.