[wp-trac] Re: [WordPress Trac] #4353: Users with edit_posts capability can see everyone's comments, IPs, and email addresses

WordPress Trac wp-trac at lists.automattic.com
Sun Aug 17 22:15:26 GMT 2008


#4353: Users with edit_posts capability can see everyone's comments, IPs, and
email addresses
-------------------------------------------------------------------------------------------+
 Reporter:  idahofallzcom                                                                  |        Owner:  markjaquith
     Type:  enhancement                                                                    |       Status:  reopened   
 Priority:  high                                                                           |    Milestone:  2.7        
Component:  Administration                                                                 |      Version:  2.7        
 Severity:  major                                                                          |   Resolution:             
 Keywords:  has-patch comments edit_posts IP email privacy subscriber author role_manager  |  
-------------------------------------------------------------------------------------------+
Changes (by spencerp):

  * status:  closed => reopened
  * version:  2.1.3 => 2.7
  * resolution:  fixed =>
  * milestone:  2.5 => 2.7

Comment:

 I know this is set to "fixed", but this really needs another good looking
 at. No matter what I do, even using a Role Manager type plugin, I can't
 hide ANY comments and their informations from Authors, Editors, and
 Contributors.

 IMHO; Authors, Editors, and Contributors shouldn't NOT be able to view ANY
 comment information(s) at all, unless it's comments of their own, on their
 own posts. I used the analogy in the wp-hackers or wp-testers list before;
 That's like Bank employees leaving bank member's important informations
 out over night, and even though it's supposedly kept secret and hidden
 from anyone else, it's not. The night clean crew comes in after hours, and
 their informations could be right there in plain view to the clean crew.

 It's not supposed to be viewed/seen by just anyone, and everyone. What if
 you have an Author, Contributor or whatever that turns stalker/ whacko on
 you (site admin), and goes through all the comments, digging for people's
 email addresses, IP addresses and what-not? I had that happen to me
 already. I had some chick as an Author, and she was using my own plugins
 against me. Stalking me.

 I had to get rid of the Useronline & LastFm plugin before. It's not
 wonderful to find draft posts titled: Just you, me, and 2 bots. And for
 the content, was making references to knowing that I was really online,
 but I must be hiding from her on messengers. If she can see certain
 things, because of her "Higher Status" in a blog, then use that "status"
 for evil.

 I can just picture HER or ANYONE, going through other comments NOT NEEDED
 for their eyes, contacting them via their email addresses for either email
 or instant messengers, or, even going to their websites try to start drama
 that way too. Bottom line is, I just don't think all that extra
 information should be viewed by Authors, Contributors, and Editors just
 "because" they have the "status".

 Don't get me wrong though, I DO believe and think "they" should be able to
 view that stuff, if it's on their OWN posts. But, just not ALL of the
 comments, that aren't even on their posts. You know? The site admin should
 have that access, just not everyone that has a write post status. Maybe
 I'm alone here... ?

-- 
Ticket URL: <http://trac.wordpress.org/ticket/4353#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list