Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#50024 closed defect (bug) (duplicate)

comments section bug

Reported by: marciancarutasu's profile marciancarutasu Owned by:
Milestone: Priority: normal
Severity: major Version:
Component: Comments Keywords:
Focuses: privacy Cc:

Description

admins can edit comments on users behalf without their consent.
I comment from "marciancarutasu@…", "I do not like your food" admin currently have the ability to change it into: "I love your food".
No comment has been edited flag.
On a larger scale can become a major security flaw.

facebook allows comments to be approved or dissaproved, deleted even but not edited.

Change History (9)

#1 @SergeyBiryukov
4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Hi there, welcome to WordPress Trac! Thanks for the report.

This is essentially the same issue as previously reported in #50023, let's continue the discussion there.

#2 @marciancarutasu
4 years ago

Was this previously reported by other users? I am not technical enough to check if there is an PUT/UPDATE request from admin pane on behalf of another human.

impersonating is a bad deed, wordpress is leaving millions of doors open for that currently.

#3 @marciancarutasu
4 years ago

moderator did not take the issue seriously.I find it critical to wordpresses image.
it can lead to defamation, impersonating and even it could be a big security flaw.

#4 @carike
4 years ago

@marciancarutasu

Please do not create duplicate tickets.
I see that you created three with privacy as a keyword and all of them address exactly the same issue.
If it continues after a couple of requests not to, your ability to post tickets will have to be removed (because spam is not cool) and that would suck.

A number of people will look at a ticket (within their particular area of interest) and a ticket being closed isn't final. It can be re-opened if others disagree.

#5 @marciancarutasu
4 years ago

@carike, my first day. don't want to bother people, sry.

#6 @carike
4 years ago

@marciancarutasu

The WordPress.org project welcomes input and discussion.
Things just need to happen in a particular way so that the right people can (quickly) be able to see the information that they need to see.
If you write three new posts in the time it takes me to respond to you, for example, that causes an issue, because a core dev thinks "oh, a discussion about Trac etiquette" and moves on to the next ticket.

If you need help making a proposal actionable for Trac, please post here:
https://wordpress.org/support/forum/miscellaneous/
One of the forum volunteers can help you figure out how to best present your issue / proposal.

You can also join Slack to brainstorm possible solutions before creating a proposal on Trac:
https://make.wordpress.org/chat/

#7 follow-up: @marciancarutasu
4 years ago

db stores comment author ip, user agent, name, email, actual comment, and a created_at field and some other info by default.
but if an admin edits the comment there is no proof in the db that the admin edited the comment, by default, it leaves it as the initial author.

#8 in reply to: ↑ 7 @pputzer
4 years ago

Replying to marciancarutasu:

db stores comment author ip, user agent, name, email, actual comment, and a created_at field and some other info by default.
but if an admin edits the comment there is no proof in the db that the admin edited the comment, by default, it leaves it as the initial author.

We all understand the issue, @marciancarutasu. Let's keep the discussion to the original ticket (#50023).

#9 @carike
4 years ago

Potential changes to the db structure as it relates to comments is a valid proposal / part of one.
Could you please post that message on the open ticket, @marciancarutasu ?

Note: See TracTickets for help on using tickets.