[wp-trac] [WordPress Trac] #64779: Notes can be edited and deleted by other users
WordPress Trac
noreply at wordpress.org
Mon Mar 2 15:35:40 UTC 2026
#64779: Notes can be edited and deleted by other users
--------------------------+-----------------------------
Reporter: mindctrl | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Comments | Version: 6.9
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
A user with access to edit a post is able to edit the Notes of other users
on that post. This happens because the `edit_comment` capability gets
mapped to `edit_post`.
=== Example
A user with the Contributor role creates a new draft post. A user with the
Administrator role leaves a Note on the post that says "Please change this
to...". The Contributor user edits the Note to say "Looks good to me".
Another editor/admin comes along later, sees the note, and publishes the
post, believing the Note content is original.
It's also possible for the user with the Contributor role to delete the
Note left by the admin user.
=== Notes
This mirrors the existing behavior for normal comments, but it feels like
the behavior for Notes should be different considering they're used for
collaboration where the history of the conversation helps understand the
evolution of the content, and the mutability could lead to operational
impacts.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64779>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list