[wp-trac] [WordPress Trac] #5505: Users able to see drafts and
pending reviews of users higher than them but not view them
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 22 10:16:04 GMT 2007
#5505: Users able to see drafts and pending reviews of users higher than them but
not view them
----------------------------+-----------------------------------------------
Reporter: JDTrower | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.4
Component: Administration | Version: 2.4
Severity: normal | Keywords:
----------------------------+-----------------------------------------------
On edit.php when logged in as a contributor (and I assume author and
editor, although at the time of writing I didn't verify) and you filter by
draft or pending review, you see all posts that meet that post status.
You are able to see drafts that are written by users that have a higher
role than you. When you are looking at it as a contributor, you only have
a view link for those users that are higher than you. They don't have
edit or delete links, which you would expect them not to have. However,
clicking on the view link results in a 404 error. Which is good, because
they shouldn't be able to read a draft or pending review post of a user
that has a higher role than them. However, I am thinking that since they
can't see the post any ways, and it is obvious that we are able to
determine based on their capabilities or role that they don't have the
privilege to edit or delete post that are not theirs, that we should be
able to not provide a view link for drafts and pending review posts that
they can't view anyways.
This is in 2.4-bleeding.
--
Ticket URL: <http://trac.wordpress.org/ticket/5505>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list