Make WordPress Core

Opened 16 years ago

Closed 15 years ago

#9144 closed defect (bug) (fixed)

dashboard: comments from private posts show up in recent comments list

Reported by: taimon's profile Taimon Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 2.7
Component: Comments Keywords: has-patch featured
Focuses: Cc:

Description

Comments that belong to private posts appear in the recent comments list on the dashboard, even if the current user doesn't have the appropriate capabilities to read the post.

Attachments (2)

dashboard.php.patch (617 bytes) - added by Taimon 16 years ago.
9144.diff (585 bytes) - added by nacin 15 years ago.

Download all attachments as: .zip

Change History (18)

#1 @Taimon
16 years ago

The patch should be taken with a grain of salt, as I'm not really familiar with wordpress.

#2 @mrmist
16 years ago

  • Keywords has-patch needs-testing added

Close #9144 as a dupe of this since this has a patch.

#3 follow-up: @mrmist
16 years ago

Sorry should have said closed #8559 as a dupe of this..

#4 in reply to: ↑ 3 @Taimon
16 years ago

Didn't find that one, sorry.
Patch was buggy (php4) - next try.

#5 follow-up: @Denis-de-Bernardy
16 years ago

  • Keywords needs-patch added; recent comments private has-patch needs-testing removed

shouldn't the patch list 5 comments, always? the sql query should be changed, rather than the comments filtered out, no?

#6 @janeforshort
16 years ago

  • Milestone changed from 2.8 to Future Release

Punting due to feature freeze. Reconsider with next release.

#8 @Denis-de-Bernardy
15 years ago

  • Priority changed from normal to low
  • Severity changed from normal to minor

#9 @Denis-de-Bernardy
15 years ago

  • Milestone changed from Future Release to 2.9

#10 @nacin
15 years ago

  • Milestone changed from 2.9 to Future Release

@nacin
15 years ago

#11 in reply to: ↑ 5 @nacin
15 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 3.0
  • Severity changed from minor to normal

Replying to Denis-de-Bernardy:

shouldn't the patch list 5 comments, always? the sql query should be changed, rather than the comments filtered out, no?

It actually does. This patch is within a loop that pulls 50 comments at a time until it reaches 5 acceptable ones.

New patch attached that uses current_user_can().

#12 @hakre
15 years ago

  • Priority changed from low to normal

This patch is actually related to security because its a minor information disclosure issue. Will raise the priority a bit beause of that.

#13 @voyagerfan5761
15 years ago

  • Cc WordPress@… added

#14 @Denis-de-Bernardy
15 years ago

  • Keywords bug-hunt added

#15 @Denis-de-Bernardy
15 years ago

  • Keywords featured added; bug-hunt removed

#16 @automattor
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [13800]) Check cap before showing comments from private posts in recent comments dashboard widget. fixes #9144.

Note: See TracTickets for help on using tickets.