[wp-trac] [WordPress Trac] #8801: Low privilege user can see email
address of comment author by HTML source
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 5 15:15:13 GMT 2009
#8801: Low privilege user can see email address of comment author by HTML source
----------------------------+-----------------------------------------------
Reporter: lilyfan | Owner: anonymous
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.7.1
Component: Administration | Version: 2.7
Severity: critical | Keywords: email comments autor
----------------------------+-----------------------------------------------
At wp-admin/edit-commet.php, higher privilege users can do everything, and
editor/author users can do restrict editing.
Author users can edit comments which is belonging to his/her posts.
He/she can see all comments, but can not see email address of other's
posts at admin panel.
However, in HTML source, email address of all posts in written at div
section with class="author-email" !!
So, author users can see all email address of all comments.
This div section is for quick editing, therefore, this must be deleted
when he/she can not edit the comment.
--
Ticket URL: <http://trac.wordpress.org/ticket/8801>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list