[wp-trac] Re: [WordPress Trac] #4353: Users with edit_posts
capability can see everyone's comments, IPs, and email addresses
WordPress Trac
wp-trac at lists.automattic.com
Sun Aug 17 22:15:26 GMT 2008
#4353: Users with edit_posts capability can see everyone's comments, IPs, and
email addresses
-------------------------------------------------------------------------------------------+
Reporter: idahofallzcom | Owner: markjaquith
Type: enhancement | Status: reopened
Priority: high | Milestone: 2.7
Component: Administration | Version: 2.7
Severity: major | Resolution:
Keywords: has-patch comments edit_posts IP email privacy subscriber author role_manager |
-------------------------------------------------------------------------------------------+
Changes (by spencerp):
* status: closed => reopened
* version: 2.1.3 => 2.7
* resolution: fixed =>
* milestone: 2.5 => 2.7
Comment:
I know this is set to "fixed", but this really needs another good looking
at. No matter what I do, even using a Role Manager type plugin, I can't
hide ANY comments and their informations from Authors, Editors, and
Contributors.
IMHO; Authors, Editors, and Contributors shouldn't NOT be able to view ANY
comment information(s) at all, unless it's comments of their own, on their
own posts. I used the analogy in the wp-hackers or wp-testers list before;
That's like Bank employees leaving bank member's important informations
out over night, and even though it's supposedly kept secret and hidden
from anyone else, it's not. The night clean crew comes in after hours, and
their informations could be right there in plain view to the clean crew.
It's not supposed to be viewed/seen by just anyone, and everyone. What if
you have an Author, Contributor or whatever that turns stalker/ whacko on
you (site admin), and goes through all the comments, digging for people's
email addresses, IP addresses and what-not? I had that happen to me
already. I had some chick as an Author, and she was using my own plugins
against me. Stalking me.
I had to get rid of the Useronline & LastFm plugin before. It's not
wonderful to find draft posts titled: Just you, me, and 2 bots. And for
the content, was making references to knowing that I was really online,
but I must be hiding from her on messengers. If she can see certain
things, because of her "Higher Status" in a blog, then use that "status"
for evil.
I can just picture HER or ANYONE, going through other comments NOT NEEDED
for their eyes, contacting them via their email addresses for either email
or instant messengers, or, even going to their websites try to start drama
that way too. Bottom line is, I just don't think all that extra
information should be viewed by Authors, Contributors, and Editors just
"because" they have the "status".
Don't get me wrong though, I DO believe and think "they" should be able to
view that stuff, if it's on their OWN posts. But, just not ALL of the
comments, that aren't even on their posts. You know? The site admin should
have that access, just not everyone that has a write post status. Maybe
I'm alone here... ?
--
Ticket URL: <http://trac.wordpress.org/ticket/4353#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list