Make WordPress Core

Opened 16 years ago

Closed 16 years ago

#8801 closed defect (bug) (fixed)

Low privilege user can see email address of comment author by HTML source

Reported by: lilyfan's profile lilyfan Owned by:
Milestone: 2.8 Priority: normal
Severity: normal Version: 2.7
Component: Quick/Bulk Edit Keywords: email comments autor has-patch tested
Focuses: Cc:

Description

At wp-admin/edit-commet.php, higher privilege users can do everything, and editor/author users can do restrict editing.
Author users can edit comments which is belonging to his/her posts.
He/she can see all comments, but can not see email address of other's posts at admin panel.

However, in HTML source, email address of all posts in written at div section with class="author-email" !!
So, author users can see all email address of all comments.

This div section is for quick editing, therefore, this must be deleted when he/she can not edit the comment.

Attachments (2)

wp-admin_incudes_template.diff (3.0 KB) - added by lilyfan 16 years ago.
template.diff (1.1 KB) - added by mrmist 16 years ago.
remove email addresses for low priv users

Download all attachments as: .zip

Change History (6)

#1 @mrmist
16 years ago

  • Keywords has-patch tested added

I've attached the same or a similar patch, the other one seemed a bit odd?

Given it a quick test in IE and Opera, seems ok. My patch just blanks out the fields if user can't edit the relevant post.

#2 @ryan
16 years ago

  • Component changed from Administration to Quick Edit
  • Owner anonymous deleted

@mrmist
16 years ago

remove email addresses for low priv users

#3 @mrmist
16 years ago

  • Milestone changed from 2.7.2 to 2.8
  • Severity changed from critical to normal

Refreshed, tested, ready to go.

#4 @azaozz
16 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [10970]) Hide email addresses from low privilege users on the comments page, props mrmist, fixes #8801

Note: See TracTickets for help on using tickets.