[wp-trac] Re: [WordPress Trac] #3699: wp_update_comment_count()
causes some plugins to delete usermeta values
WordPress Trac
wp-trac at lists.automattic.com
Sun Jan 28 02:49:18 GMT 2007
#3699: wp_update_comment_count() causes some plugins to delete usermeta values
-------------------------+--------------------------------------------------
Reporter: markjaquith | Owner: anonymous
Type: defect | Status: closed
Priority: high | Milestone: 2.1.1
Component: General | Version: 2.1
Severity: major | Resolution: wontfix
Keywords: |
-------------------------+--------------------------------------------------
Changes (by markjaquith):
* status: new => closed
* resolution: => wontfix
Comment:
Also a good point. I don't think you can tag via XMLRPC so people with
the plugin probably never use it. It's possible that they've always been
broken like this.
One solution is for them to set a hidden form field with a nonce value
when including the form element they're using. On the backend they could
verify the nonce and use that as the check. Otherwise malicious
commenters could modify the comment form to include the element used as a
simple check, and use that method to wipe data.
Plugin authors should also be checking {{{current_user_can()}}} in their
{{{edit_post}}}-hooked functions.
So:
Set a hidden form field with a nonced value and check it on the back end,
along with checking {{{current_user_can()}}}. That gets you capability
and intention. I'll write up a post on it.
--
Ticket URL: <http://trac.wordpress.org/ticket/3699#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list