[wp-trac] [WordPress Trac] #23939: Wrong capability check in wp_ajax_replyto_comment
WordPress Trac
noreply at wordpress.org
Thu Apr 4 20:46:24 UTC 2013
#23939: Wrong capability check in wp_ajax_replyto_comment
--------------------------+------------------------------
Reporter: fgauthier | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch |
--------------------------+------------------------------
Comment (by fgauthier):
Replying to [comment:6 nacin]:
> Replying to [comment:5 ocean90]:
> > Because the parent comment will be approved when you reply to it. And
you are only allowed to change a status of a comment if you can edit the
post to which the comment was posted.
>
> Yeah... So, there should probably be a edit_comment check on the comment
to which the user is replying. This maps to the exact same edit_post
check, but who knows what a plugin may be doing with it.
I agree and it would be consistent with wp-admin/edit-comments.php where
both the edit_posts AND edit_comment are checked before the approval of a
comment.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23939#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list