WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#9144 closed defect (bug) (fixed)

dashboard: comments from private posts show up in recent comments list

Reported by: Taimon Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 2.7
Component: Comments Keywords: has-patch featured
Focuses: Cc:

Description

Comments that belong to private posts appear in the recent comments list on the dashboard, even if the current user doesn't have the appropriate capabilities to read the post.

Attachments (2)

dashboard.php.patch (617 bytes) - added by Taimon 6 years ago.
9144.diff (585 bytes) - added by nacin 6 years ago.

Download all attachments as: .zip

Change History (18)

comment:1 @Taimon6 years ago

The patch should be taken with a grain of salt, as I'm not really familiar with wordpress.

comment:2 @mrmist6 years ago

  • Keywords has-patch needs-testing added

Close #9144 as a dupe of this since this has a patch.

comment:3 follow-up: @mrmist6 years ago

Sorry should have said closed #8559 as a dupe of this..

@Taimon6 years ago

comment:4 in reply to: ↑ 3 @Taimon6 years ago

Didn't find that one, sorry.
Patch was buggy (php4) - next try.

comment:5 follow-up: @Denis-de-Bernardy6 years ago

  • Keywords needs-patch added; recent comments private has-patch needs-testing removed

shouldn't the patch list 5 comments, always? the sql query should be changed, rather than the comments filtered out, no?

comment:6 @janeforshort6 years ago

  • Milestone changed from 2.8 to Future Release

Punting due to feature freeze. Reconsider with next release.

comment:8 @Denis-de-Bernardy6 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

comment:9 @Denis-de-Bernardy6 years ago

  • Milestone changed from Future Release to 2.9

comment:10 @nacin6 years ago

  • Milestone changed from 2.9 to Future Release

@nacin6 years ago

comment:11 in reply to: ↑ 5 @nacin6 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 3.0
  • Severity changed from minor to normal

Replying to Denis-de-Bernardy:

shouldn't the patch list 5 comments, always? the sql query should be changed, rather than the comments filtered out, no?

It actually does. This patch is within a loop that pulls 50 comments at a time until it reaches 5 acceptable ones.

New patch attached that uses current_user_can().

comment:12 @hakre5 years ago

  • Priority changed from low to normal

This patch is actually related to security because its a minor information disclosure issue. Will raise the priority a bit beause of that.

comment:13 @voyagerfan57615 years ago

  • Cc WordPress@… added

comment:14 @Denis-de-Bernardy5 years ago

  • Keywords bug-hunt added

comment:15 @Denis-de-Bernardy5 years ago

  • Keywords featured added; bug-hunt removed

comment:16 @automattor5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [13800]) Check cap before showing comments from private posts in recent comments dashboard widget. fixes #9144.

Note: See TracTickets for help on using tickets.