Opened 16 years ago
Closed 16 years ago
#8801 closed defect (bug) (fixed)
Low privilege user can see email address of comment author by HTML source
Reported by: | lilyfan | Owned by: | |
---|---|---|---|
Milestone: | 2.8 | Priority: | normal |
Severity: | normal | Version: | 2.7 |
Component: | Quick/Bulk Edit | Keywords: | email comments autor has-patch tested |
Focuses: | Cc: |
Description
At wp-admin/edit-commet.php, higher privilege users can do everything, and editor/author users can do restrict editing.
Author users can edit comments which is belonging to his/her posts.
He/she can see all comments, but can not see email address of other's posts at admin panel.
However, in HTML source, email address of all posts in written at div section with class="author-email" !!
So, author users can see all email address of all comments.
This div section is for quick editing, therefore, this must be deleted when he/she can not edit the comment.
Attachments (2)
Change History (6)
Note: See
TracTickets for help on using
tickets.
I've attached the same or a similar patch, the other one seemed a bit odd?
Given it a quick test in IE and Opera, seems ok. My patch just blanks out the fields if user can't edit the relevant post.