[wp-trac] Re: [WordPress Trac] #4353: Users with edit_posts
capability can see everyone's comments, IPs, and email addresses
WordPress Trac
wp-trac at lists.automattic.com
Mon May 28 16:59:04 GMT 2007
#4353: Users with edit_posts capability can see everyone's comments, IPs, and
email addresses
---------------------------------------------------------------------------------+
Reporter: idahofallzcom | Owner: markjaquith
Type: enhancement | Status: assigned
Priority: high | Milestone: 2.4
Component: Administration | Version: 2.1.3
Severity: major | Resolution:
Keywords: comments edit_posts IP email privacy subscriber author role_manager |
---------------------------------------------------------------------------------+
Changes (by markjaquith):
* status: new => assigned
* summary: Everyone above subscriber sees everyone's comments, IPs, and
emails => Users with edit_posts capability can
see everyone's comments, IPs, and email
addresses
* owner: anonymous => markjaquith
* type: defect => enhancement
* severity: critical => major
Old description:
> I've been fighting this problem for several weeks now. I've updated Role
> Manager to the new one (not the owen winkler version), and it also does
> not fix the problem.
>
> Everyone above subscriber can click "comments" and see everyone's
> comments, email addresses, and IP addresses. This is a very BAD thing.
>
> From what I've read, edit_posts for contributor and authors is supposed
> to only display the person's own comments. However this function is
> broken somehow and instead anyone can see everyone else's comments.
>
> Is this a core code issue or a plugin issue? I think it is core code.
>
> This is very important for me to resolve because i've had to demote
> everyone on my blog to subscriber, and nobody is able to post anymore.
New description:
I've been fighting this problem for several weeks now. I've updated Role
Manager to the new one (not the owen winkler version), and it also does
not fix the problem.
Everyone above subscriber can click "comments" and see everyone's
comments, email addresses, and IP addresses. This is a very BAD thing.
From what I've read, edit_posts for contributor and authors is supposed to
only display the person's own comments. However this function is broken
somehow and instead anyone can see everyone else's comments.
----
Mark Jaquith says:
It wasn't designed to restrict people with {{{edit_posts}}} from only
being able to see the comments they can edit. That would require a slight
tweak in the code.
----
Is this a core code issue or a plugin issue? I think it is core code.
This is very important for me to resolve because i've had to demote
everyone on my blog to subscriber, and nobody is able to post anymore.
Comment:
{{{edit_posts}}} is used to control comment editing, specifically, but
viewing, generally. If you have the {{{edit_posts}}} capability, you'll
be able to view all comments, but only be able to edit the ones on your
posts.
Contributors won't be able to view any comments or edit any. The only
default role affected here is "Author."
What you're advocating is a change in functionality, so I'm going to
update the ticket to reflect that.
--
Ticket URL: <http://trac.wordpress.org/ticket/4353#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list