WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] hiding members e-mails and IPs (17 posts)

  1. dchanin
    Member
    Posted 8 years ago #

    I promote all my members to level 2 so they can Write Posts without saving them as Drafts, which would be confusing. Everything goes to me for moderation anyway.

    WordPress 1.5.1 does not let my users see each other's e-mails (or "real names") through the User's panel. But if someone makes a comment on the blog, any other Level 2 member can go to Site-Admin/Manage/Comments/View and they can see the e-mail address, IP, and any web site they provided. This is unacceptable and i had to put up a Privacy Warning on my blog until i can hack WP to fix the security hole.

    Can anyone tell me the easiest way to fix this?

    I want to check user-level and not display that private information (coming from edit-comments.php) if they have a user level less than admin status.

    The easiest fix would be to just hack that display completely out of edit-comments.php but then it might be useful for site admin.

    Where is that file that sets the initial permissions for various user levels and would it be possible to fix the problem there?

  2. dchanin
    Member
    Posted 8 years ago #

    This is definitely a bug in 1.5.1.1 that it exposes all Level 2 member's e-mails who have made Comments so that they can all see each other's e-mails and IPs. This despite the WD claim that blog member's e-mails are kept private from other members. It is a big security hole.

    The security hole does not seem to affect those who have made Posts, it apparently only exposes private information for those who have made Comments. It is a bug in edit-comments.php which exposes e-mails and IPs of everyone who has made comments without checking their user-level.

    The easiest kludge is to turn off their ability to Manage/Comments/View by changing menu.php so that Level 3 is required to access edit-comments.php at all. Since it's a WP bug, it's more important that i protect my member's privacy than rewrite edit-comments.php to let lower-level members view only their own private information.

    Since all my members are Level 2, i can keep them from seeing each other's private information by making this change to menu.php:

    in menu.php, change
    $submenu['edit.php'][20] = array(__('Comments'), 1, 'edit-comments.php');
    to
    $submenu['edit.php'][20] = array(__('Comments'), 3, 'edit-comments.php');
    and then Level 3 is required to see other people's private information.

  3. I think there could be a fascinating argument about what is and isn't a "security hole". WP allows users to see the email addresses entered by those leaving comments. I think most people like to know who's commenting.

    The side effect that users can see other users' email addresses if those users make comments isn't so much a security hole, IMHO as a feature that you (and others) might not want.

    Now if people who were not registered users could see users' email addresses (or commenters' addresses, for that matter), it would be an actual security hole.

    What you seem to be aiming for is to stop posters knowing who has posted a comment on their posts if that comment comes from another user. I suspect a lot of people would find that unacceptable.

    EDIT: And please don't double-post.

  4. dchanin
    Member
    Posted 8 years ago #

    It is a security hole. Anyone who is Level 2 (the minimum needed to avoid the silly Draft publish) cab look at *anyone's* e-mail address and IP ... they can look at all the e-mails of everyone who has ever made a comment.

    This display of all other member's e-mails is not limited to showing someone who has made a comment on that person's post.

    A new member with no posts or comments can see the e-mails of everyone who has made a comment. Well, WP does not allow that for Posts (whose e-mails are kept private), it only exposes e-mails of those who have made Comments.

    That is a BUG and a SECUITY HOLE!

    Somewhere in the template files it says that e-mails are not published. That's not true!

    If you want
    put out for every Level 1 member to see.

  5. dchanin
    Member
    Posted 8 years ago #

    after fixing the security hole in menu.php that exposes all Commenter's private information that WP tries to protect everywhere, this is the corresponding hack to wp-register.php to tell people that their e-mail is kep private:

    <form method="post" action="wp-register.php" id="registerform">
    <label for="user_email"><?php _e('E-mail: (kept private and never displayed)') ?></label>
    <input
    type="text"

  6. dchanin
    Member
    Posted 8 years ago #

    i've had to make so many fixes to the silly thing that i'll never bother to upgrade. it's badly coded and not modular at all. i've had to patch ten different routines already and have only been using it a month.

  7. dchanin
    Member
    Posted 8 years ago #

    i cannot vet all my registered members to have any confidence that someone won't sell all these e-mails for marketing or other purposes. most of them are using disposable e-mails because they're afraid of getting spammed. it turns out that they had a good reason to register that way.

    i've been a software developer for a long time. calling a bug a "feature" is something we laugh about all the time.

    it's obvious that it was a mistake because of the care taken everywhere else in the code to keep people at the lower levels from seeing other people's registration information.

    if LesBessant is right and this information leak is intentional, then why is this the only place (that i could find so far) where private registration information (and all the IPs that were used to make Comments) are publicized?

    my blog users have an expectation of privacy when they register. they don't want their e-mail blasted all over the internet.

    so why can't logged -in members see each other's Profiles?

    and why does WP give people a choice whether they want to display their login, or just their first name, or both first and last?

    and why can't logged-in members click on someone's handle to send them an e-mail?

    it's because WP intended that information to be kept private ... but it isn''t. so that's a bug!

  8. If you can't trust your registered users, what you have is a human problem rather than a software problem.

    Commenters' details are not "blasted all over the internet", they are visible to registered users. If you have a problem with users seeing who is commenting on posts, then you need a modification to how your users see things. This could probably be achieved with a plugin, rather than by hacking at the core code.

  9. phonakins
    Member
    Posted 8 years ago #

    Or by modifying your users. If you can't trust them, do you really want them in your blog :p

  10. James
    Happiness Engineer
    Posted 8 years ago #

    i've been a software developer for a long time. calling a bug a "feature" is something we laugh about all the time.

    The difference between a bug and a feature is always unique to an individual's perception. So, whether you laugh at it or not is irrelevant.

    If you can't trust them, do you really want them in your blog

    Exactly. The reason for why the commentator's email address and IP are displayed in the admin interface and not publicaly on the blog is because the WordPress administration has made the assumption that you trust any registered member that you have promoted to a level of 2. If you can't trust those users, then you need to re-think who you're allowing to post on your blog.

    As you can see, to me this is a feature. And, to you, this is a bug. Have we accomplished anything? No, that's why it's irrelevant.

  11. James
    Happiness Engineer
    Posted 8 years ago #

    i've had to make so many fixes to the silly thing that i'll never bother to upgrade. it's badly coded and not modular at all. i've had to patch ten different routines already and have only been using it a month.

    I think you need to choose a different blogging platform, or perhaps try coding your own. Everything you've been talking about is more CMS-oriented anyway.

  12. Mark (podz)
    Support Maven
    Posted 8 years ago #

    dchanin - go use Blogger :)

  13. citeewurkor
    Member
    Posted 8 years ago #

    I know this thread is kind of old now, but I'm glad I was able to find it. I've got several level 1 members, and I've always purported that their email address would never be displayed. Thanks to dchanin, I now know how to alter it. I wouldn't call it a bug, but maybe people should be aware of this? I didn't know about it until one of the level 1 members emailed me and told me about it!
    Since privacy is a big issue where I blog from, I would be in favor of a comprehensive ability to change the options on membership levels. Of course, I haven't searched for that particular forum subject, so there may already be a plugin / mod for that already?

  14. sluk
    Member
    Posted 8 years ago #

    I think this really needs to be looked at. I just decided to try out WP2 and I was very disappointed to see this hasn't changed...

    If different levels of security/access aren't important to you folks why don't we just have two security levels- an admin level and a subscriber level?

    And if someone you trust goes in and deletes your web site well then I suppose they're no friends of yours and it's your fault for trusting them, right?

    How ridiculous.

    I don't trust them to publish without me reviewing it first, and I certainly don't trust them with private information of people they could conceivably have a feud with...

    I don't want contributors to my site to know the IP address of the lovable (in my opinion) troll that haunts my site- I don't want them emailing his boss at whatever company he works for bitching about how the guy is a dick in online discussions.

    There are multiple levels for a reason- we should make use of them.

    Sometimes private information should remain private.

    Is that really so unreasonable?

  15. citeewurkor
    Member
    Posted 8 years ago #

    Well, not reason to get pissy about it, but the code looks different in menu.php now. Anyone know how to disable "contributors" from seeing email addresses and IP's?

    thanks!

  16. citeewurkor
    Member
    Posted 8 years ago #

    well, in menu.php it says this at the top:
    // This array constructs the admin menu bar.
    //
    // Menu item name
    // The minimum level the user needs to access the item: between 0 and 10
    // The URL of the item's file

    I think the one to change a bit lower is this:

    $submenu['edit.php'][20] = array(__('Comments'), 'edit_posts', 'edit-comments.php');

    But I'm not sure how to alter that so contributors cannot see comments or IP addresses in their dashboard.

    Can anyone help?

  17. citeewurkor
    Member
    Posted 8 years ago #

    I've figured out a fix that works for me.

    You have to go to the bottom of the thread to see the one I actually implemented.

    Good luck and don't forget to backup!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags