Opened 20 years ago
Closed 20 years ago
#568 closed defect (bug) (fixed)
"Private" posts accessible to all users
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | minor | Version: | 1.2.2 |
| Component: | Administration | Keywords: | |
| Focuses: | Cc: |
Description
By a bit of tweaking (and knowing the post ID) it is possible to view a private post from any user account (assuming you have the same or higher userlevel).
Steps to reproduce:
- Create a post with a certain user. Set it to private. Note down the post number.
- Logout and log-in as a different user (with at least the same user level as the user who created the post..). Change the url to 'post.php?action=edit&post=idnumber', where idnumber is the ID number of the previous post. You can now view the post, edit it and even make it public.
I fixed this (the viewing part, at least) using two lines of PHP:
if(('private' == $postdata->post_status && $postdata->post_author != $user_ID))
die ('You are not allowed to view other users\' private posts.');
to post.php in the 'edit' CASE.
This seems to also occur in the CVS version, although it looks like the user who wishes to view the private post needs a higher user level than the user who wrote it (instead of equal or higher). [see: user_can_edit_post in functions-post.php]
I'm not sure if this is a bug or a feature, but it seems weird that users with high userlevels cannot *see* other private posts, but are able to view and edit them (as long as they know the post's ID).
I do think allowing higher-levelled users to view the private posts of users below them doesn't really follow the idea of 'private' though!
Thanks.
I noticed the title of this is a bit of a lie. It shouldn't really be 'all users' but 'users with a higher user level than the post author'. Sorry!