Make WordPress Core

Opened 16 years ago

Closed 16 years ago

#568 closed defect (bug) (fixed)

"Private" posts accessible to all users

Reported by: anonymousbugger Owned by: matt
Milestone: Priority: normal
Severity: minor Version: 1.2.2
Component: Administration Keywords:
Focuses: Cc:


By a bit of tweaking (and knowing the post ID) it is possible to view a private post from any user account (assuming you have the same or higher userlevel).

Steps to reproduce:

  1. Create a post with a certain user. Set it to private. Note down the post number.
  1. Logout and log-in as a different user (with at least the same user level as the user who created the post..). Change the url to 'post.php?action=edit&post=idnumber', where idnumber is the ID number of the previous post. You can now view the post, edit it and even make it public.

I fixed this (the viewing part, at least) using two lines of PHP:

if(('private' == $postdata->post_status && $postdata->post_author != $user_ID))

die ('You are not allowed to view other users\' private posts.');

to post.php in the 'edit' CASE.

This seems to also occur in the CVS version, although it looks like the user who wishes to view the private post needs a higher user level than the user who wrote it (instead of equal or higher). [see: user_can_edit_post in functions-post.php]

I'm not sure if this is a bug or a feature, but it seems weird that users with high userlevels cannot *see* other private posts, but are able to view and edit them (as long as they know the post's ID).

I do think allowing higher-levelled users to view the private posts of users below them doesn't really follow the idea of 'private' though!


Change History (3)

#1 @anonymousbugger
16 years ago

  • Patch set to No

#2 @anonymousbugger
16 years ago

I noticed the title of this is a bit of a lie. It shouldn't really be 'all users' but 'users with a higher user level than the post author'. Sorry!

#3 @matt
16 years ago

  • fixed_in_version set to 1.3
  • Owner changed from anonymous to matt
  • Resolution changed from 10 to 20
  • Status changed from new to closed

Thanks for the excellent bug report, fixed!

Note: See TracTickets for help on using tickets.