Make WordPress Core

Opened 16 years ago

Closed 16 years ago

Last modified 15 years ago

#5487 closed defect (bug) (fixed)

query.php mistakenly uses is_admin() to check for admin privileges

Reported by: pishmishy's profile pishmishy Owned by: pishmishy's profile pishmishy
Milestone: 2.3.2 Priority: high
Severity: major Version: 2.3.1
Component: Security Keywords: query is_admin has-patch dev-feedback
Focuses: Cc:

Description (last modified by lloydbudd)

  1. Create a draft post
  2. Log out
  3. Visit
    • is_admin() spots the wp-admin in the request and returns true
    • query.php uses is_admin() to decide to return future, draft or pending posts
  4. Future, draft and pending posts are displayed.

This doesn't require the ' in the request string as reported on Bugtraq.


12/22 additional disclosure, with trivial, popular example:

Attachments (2)

5487.patch (738 bytes) - added by pishmishy 16 years ago.
New patch improves is_admin()
5487.002.diff (429 bytes) - added by markjaquith 16 years ago.
Don't we need to fix this too?

Download all attachments as: .zip

Change History (20)

#1 @pishmishy
16 years ago

  • Status changed from new to assigned

#2 @pishmishy
16 years ago

See line 1172 of query.php for the misuse of is_admin()

#3 @pishmishy
16 years ago

  • Keywords has-patch dev-feedback added

Attached patch replaces is_admin() check with current_user_can('level_10'). Perhaps we could explicitly check the user's capabilities but I wasn't sure from the documentation which capabilities we should be looking at. Instead I've just checked if the user is the administrator or not.

#4 follow-up: @docwhat
16 years ago

What I did (Wordpress 2.3.1):

  • Logged into wp-admin with Firefox.
  • Created a new post called "DRAFT", with text "DRAFT"
  • I saved it (but did not publish it)
  • I opened another browser (Opera).
  • I tried using the URL you had above (modified for my site) and it does not show me drafts.
  • I tried adding the p=<post number> get argument, but I just get a blank page.

I cannot reproduce this problem.

Will the current_user_can() allow the author (possibly a non-admin) to view the draft post that he/she just wrote?


#5 @ryan
16 years ago

We do a current_user_can() check in the block of code already. is_admin() is used to see what context the user is in. Is the user in the admin? I think we need to retain is_admin() and have it check a constant set in admin.php to determine admin context.

#6 @ryan
16 years ago

Hmm, the current_user_can() check is just for private posts. I think we need both an is admin user and is in the admin checks.

#7 @ryan
16 years ago

Actually, edit-pages.php and edit.php filter the results of the is_admin() query. So I think all we need is a proper is_admin() check and not any cap checks.

16 years ago

New patch improves is_admin()

#8 @pishmishy
16 years ago

New patch improves is_admin().
Old patch was confused over why is_admin() was used in the first place.
Thanks to Austin Matzko from wp-hackers for the idea.

#9 @ryan
16 years ago

Looks good to me.

#10 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6412]) Better is_admin() check from filosofo and pishmishy. fixes #5487

#11 in reply to: ↑ 4 @docwhat
16 years ago

Replying to docwhat:

What I did (Wordpress 2.3.1):

Finally, someone posted what was missing. The unposted drafts have a date of something really old (1969 or 1999). You have to search back into the archive to find it.


#12 @ryan
16 years ago

(In [6442]) Better is_admin() check from filosofo and pishmishy. fixes #5487 for 2.3

#13 @lloydbudd
16 years ago

  • Milestone changed from 2.4 to 2.3.2

#14 @lloydbudd
16 years ago

  • Description modified (diff)

16 years ago

Don't we need to fix this too?

#15 @markjaquith
16 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

$wp_query->is_admin (the var) is checked in some places and is still using the old logic instead of the is_admin() function. Shouldn't we fix that too? See patch.

#16 @ryan
16 years ago

(In [6509]) Use is_admin. Props markjaquith. see #5487

#17 @ryan
16 years ago

(In [6510]) Use is_admin. Props markjaquith. see #5487

#18 @ryan
16 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.