[wp-trac] [WordPress Trac] #64779: Notes can be edited and deleted by other users
WordPress Trac
noreply at wordpress.org
Wed Mar 11 15:33:34 UTC 2026
#64779: Notes can be edited and deleted by other users
--------------------------------------+---------------------
Reporter: mindctrl | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: 7.0
Component: Comments | Version: 6.9
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+---------------------
Changes (by ozgursar):
* keywords: has-patch has-unit-tests needs-testing => has-patch has-unit-
tests
Comment:
== Patch Testing Report
Patch Tested: https://github.com/WordPress/wordpress-develop/pull/11191
=== Environment
- WordPress: 7.0-beta4-61919-src
- PHP: 8.2.29
- Server: nginx/1.29.4
- Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
- Browser: Opera
- OS: macOS
- Theme: Twenty Twenty-Five 1.4
- MU Plugins: None activated
- Plugins:
* Test Reports 1.2.1
=== Steps taken
1. Create a test user with Contributor role
2. Create a draft post using the test user
3. Add a note on the draft post using the admin user
4. Try to change that note using the test user and confirm that note can
be successfully changed with the message `Note updated.`
5. Apply patch
6. Try to edit the admin user's comment again
7. Confirm that `Sorry, you are not allowed to edit this comment.` is
displayed when updated.
8. ✅ Patch is solving the problem
=== Expected result
- Users who don't have the `manage_comments` capability shouldn't be able
to edit notes which they didn't author themselves.
=== Screenshots/Screencast with results
Before
[[Image(https://i.imgur.com/9eYFpWS.png)]]
After
[[Image(https://i.imgur.com/2fQno3v.png)]]
--
Ticket URL: <https://core.trac.wordpress.org/ticket/64779#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list