[wp-trac] [WordPress Trac] #4786: Recent Entries widget caches
Private Post titles
WordPress Trac
wp-trac at lists.automattic.com
Tue Aug 21 07:16:31 GMT 2007
#4786: Recent Entries widget caches Private Post titles
----------------------+-----------------------------------------------------
Reporter: lybica | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4 (future)
Component: Security | Version: 2.2.2
Severity: normal | Keywords: cache, private
----------------------+-----------------------------------------------------
Recent Entries widget uses wp_cache_*() functions if ENABLE_CACHE is
set.[[BR]]
However, if a user with the capability to 'read_private_posts' is logged
in and triggered wp_cache_add(), private posts (only titles, though) are
also cached and displayed to the public/unregistered viewers for the
lifetime of the cache, effectively bypassing the is_user_logged_in() and
current_user_can() in WP_Query::get_posts().
--
Ticket URL: <http://trac.wordpress.org/ticket/4786>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list