WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#8801 closed defect (bug) (fixed)

Low privilege user can see email address of comment author by HTML source

Reported by: lilyfan Owned by:
Milestone: 2.8 Priority: normal
Severity: normal Version: 2.7
Component: Quick/Bulk Edit Keywords: email comments autor has-patch tested
Focuses: Cc:

Description

At wp-admin/edit-commet.php, higher privilege users can do everything, and editor/author users can do restrict editing.
Author users can edit comments which is belonging to his/her posts.
He/she can see all comments, but can not see email address of other's posts at admin panel.

However, in HTML source, email address of all posts in written at div section with class="author-email" !!
So, author users can see all email address of all comments.

This div section is for quick editing, therefore, this must be deleted when he/she can not edit the comment.

Attachments (2)

wp-admin_incudes_template.diff (3.0 KB) - added by lilyfan 5 years ago.
template.diff (1.1 KB) - added by mrmist 5 years ago.
remove email addresses for low priv users

Download all attachments as: .zip

Change History (6)

comment:1 mrmist5 years ago

  • Keywords has-patch tested added

I've attached the same or a similar patch, the other one seemed a bit odd?

Given it a quick test in IE and Opera, seems ok. My patch just blanks out the fields if user can't edit the relevant post.

comment:2 ryan5 years ago

  • Component changed from Administration to Quick Edit
  • Owner anonymous deleted

mrmist5 years ago

remove email addresses for low priv users

comment:3 mrmist5 years ago

  • Milestone changed from 2.7.2 to 2.8
  • Severity changed from critical to normal

Refreshed, tested, ready to go.

comment:4 azaozz5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [10970]) Hide email addresses from low privilege users on the comments page, props mrmist, fixes #8801

Note: See TracTickets for help on using tickets.