[wp-trac] [WordPress Trac] #26807: Comments on private posts should also be private in admin depending on role
WordPress Trac
noreply at wordpress.org
Fri Jan 10 14:54:52 UTC 2014
#26807: Comments on private posts should also be private in admin depending on role
-----------------------------+-----------------------------
Reporter: dllh | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: trunk
Severity: normal | Keywords:
-----------------------------+-----------------------------
Repro:
1. As user X, create a private post.
2. As user X, add a comment to the private post.
3. As user Y with Contributor role, go to the comment listing screen.
Actual Result: Contributor user Y can see the post in the listing.
Expected: Comments on private posts should not be visible to users who
don't have elevated capabilities. There's a potential here for information
disclosure, as when a comment quotes content from the private post.
There's already a cap check in `WP_Comments_List_Table::single_row()`, so
it seems like we could suppress display as well based on that check (in
fact, I did so to test), though working out the counts for display above
the table and for pagination will likely be a little more involved.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/26807>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list