WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Level 2 Users who Comment expose their e-mails! (4 posts)

  1. dchanin
    Member
    Posted 9 years ago #

    I promote all my members to level 2 so they can Write Posts without saving them as Drafts, which would be confusing. Everything goes to me for moderation anyway.

    WordPress 1.5.1 does not let my users see each other's e-mails (or "real names") through the User's panel. But if someone makes a comment on the blog, any other Level 2 member can go to Site-Admin/Manage/Comments/View and they can see the e-mail address, IP, and any web site they provided. This is unacceptable and i had to put up a Privacy Warning on my blog until i can hack WP to fix the security hole.

    Can anyone tell me the easiest way to fix this?

    I want to check user-level and not display that private information (coming from edit-comments.php) if they have a user level less than admin status.

    The easiest fix would be to just hack that display completely out of edit-comments.php but then it might be useful for site admin.

    Where is that file that sets the initial permissions for various user levels and would it be possible to fix the problem there

  2. dchanin
    Member
    Posted 9 years ago #

    This is definitely a bug in 1.5.1.1 that it exposes all Level 2 member's e-mails who have made Comments so that they can all see each other's e-mails and IPs. This despite the WD claim that blog member's e-mails are kept private from other members. It is a big security hole.

    The security hole does not seem to affect those who have made Posts, it apparently only exposes private information for those who have made Comments. It is a bug in edit-comments.php which exposes e-mails and IPs of everyone who has made comments without checking their user-level.

    The easiest kludge is to turn off their ability to Manage/Comments/View by changing menu.php so that Level 3 is required to access edit-comments.php at all. Since it's a WP bug, it's more important that i protect my member's privacy than rewrite edit-comments.php to let lower-level members view only their own private information.

    Since all my members are Level 2, i can keep them from seeing each other's private information by making this change to menu.php:

    in menu.php, change
    $submenu['edit.php'][20] = array(__('Comments'), 1, 'edit-comments.php');
    to
    $submenu['edit.php'][20] = array(__('Comments'), 3, 'edit-comments.php');
    and then Level 3 is required to see other people's private information.

  3. Jinsan
    Member
    Posted 9 years ago #

    have you upgraded to 1.5.1.2?

  4. phonakins
    Member
    Posted 9 years ago #

    Isn't this the same thread as http://wordpress.org/support/topic/36377 ?

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags