[wp-trac] [WordPress Trac] #11810: Some users able to comment on unpublished posts

WordPress Trac wp-trac at lists.automattic.com
Thu Jan 7 18:08:26 UTC 2010

#11810: Some users able to comment on unpublished posts
 Reporter:  ericmann      |       Owner:                         
     Type:  defect (bug)  |      Status:  new                    
 Priority:  normal        |   Milestone:  2.9.2                  
Component:  Comments      |     Version:  2.9.1                  
 Severity:  normal        |    Keywords:  has-patch needs-testing

Comment(by ericmann):

 Replying to [comment:8 filosofo]:
 > Patch attached, but not using current_user_can() check, because it
 returns false for non-logged-in users.
 > Since we don't allow comments on "pending" despite capability, there's
 no reason to allow them on "future," right?

 So your patch keeps a not-logged-in user from creating comments for all
 the different kinds of posts, but rather than supply a useful error, it
 just dumps some to a blank page.  For example, if you try posting a
 comment to a password protected or future post, you are dumped to a blank
 page with no branding, no content, and no explanation as to why.

 It also doesn't prevent users from posting to other posts (which wasn't
 addressed in the original ticket).  But I can comment on post ID 130 from
 post ID 1 if both posts are published, public, and open to comments.

Ticket URL: <http://core.trac.wordpress.org/ticket/11810#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list