Support » Requests and Feedback » Don’t Allow Contributors to see Comments section of admin panel (& email addys!)

  • Sorry, I have reposted this from another part of the forum, as I’d like to see this feature removed. Basically, anyone who signs up as a “contributor” (a heavily moderated ‘writer on trial’) can access all of the email and IP addresses of everyone who has ever commented on my blog. I’d like to point out that this means anyone who sets the default role of new members as “contributor” is opening everyone who ever commented on their site up to spammers.

    Also, why on earth should someone who is not even trusted to make their own posts without approval require the right to see such information. This should only be for the highest level users… anyhow… read on:

    I’d like to alter the Back-end (admin panel) of wordpress so that the “Comments” tab is not open to anyone who is not an admin.

    I have seen a couple of other posts on this subject which have only received flippant responses along the lines of “why would you allow someone to make posts if you don’t trust them not to spam your other members?” The answer to that question is this:

    I moderate all new contributors posts until I feel I can trust them. If I set the options to allow all new members to be “contributors” (the lowest form of writer, who is not allowed to make posts without being approved) then ANYONE who registers with my multi-author blog can access the email address of EVERYONE who has left a comment… EVER. This is not right, and is presumably the reason why there is so much registration spam on WordPress.

    It is my belief that this aspect needs to be written out of WP, but failing that, at least can someone suggest the alterations I would need to make to the code in order to amend this situation myself?

    I can, of course, work out the answer on my own, but I’m pretty sure other people are out there looking for this fix, so the quick way would be a help for all of us.

    And if you’re planning a flippant remark, pleas remember I’m not the enemy, I actually want to protect the email addresses of those who leave comments on my WP blogs. It is the spammers and scrapers out there we should be inhibiting – precisely by removing this security issue.

    I was informed of this by one of my newly promoted authors, who was shocked that she could access all of these addresses. I was too. Imagine if she had also run a mailing list somewhere. She could have put all 5,000 or so unique addresses on there without so much as running a small script…

Viewing 12 replies - 1 through 12 (of 12 total)
  • Come to think of it, that’s probably where all those Viagra emails I get originated.

    It would be good if someone could provide a sensible response to this question.

    Thanks Michael, will check them out – have been searching around for a couple of hours now.

    I will post any fixes I find 🙂

    There’s no fixes on those tickets, yet.

    Argh. There is an awareness of the problem, but a lack of a fix! It looks in the second ticket as though the time to sort this out has been moved back to WP 2.4. D’oh!!

    Does anyone have a workaround which will remove this issue?

    I’m extremely confident coding the front-end of WordPress, but have never had reason to alter the admin panel etc, so really don’t want to waste hours fishing around in there (and probably mucking things up time and again!) when there is probably someone who will know an exact solution.

    I’ll sort this one out and let you know tomorrow. I’m in Australia and its getting too far past my bedtime to be twiddling around with WP codes!

    To aid me in my quest, which specific files should I be changing to make amendments to the assigned ‘rights’ given to different user capabilities?

    Once I know where to begin I’ll have a play around and try to get a resolution.

    If that’s the approach you are taking, then might look at Roles and Capabilities and at the bottom look for the Role Manager plugin link.

    I wasn’t able to ever get the Role Manager to do what I wanted. My situation sounds a lot like rabmaster’s, in that I wanted people to be able to submit posts, but I didn’t want them to be able to see any of the information that only admins should be seeing. Then, after literally weeks of searching, I ran across TDO Mini Forms which is exactly 100% what I needed. It tracks submissions, permits uploads, and if you want, you can set it to auto trust someone after they’ve had X amount of posts approved.

    This is a real problem for me too.

    Like rabmaster, I assign all authors the role of Contributor so I can moderate their posts. I do this because (1) I have a lot of authors, and I want to control when posts appear (spacing them out), and (2) I have a lot of authors who don’t write much, and don’t use spell checkers, and so I like to edit out the surface errors.

    However, I want to have a posted privacy policy that assures users their emails are private. This is impossible when all Contributors can see them.

    I also blog about an area of business that makes lots of people want to be anonymous and I need to protect that.

    I really do not want my contributors to have to post via emails to me–a lot of hassle.

    Please, please consider fixing this! There is currently no plugin to provide this functionality.

    Thanks Kafka, it does not fully solve the problem yet.
    I replied on the other thread. In case anyone is following the solution.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Don’t Allow Contributors to see Comments section of admin panel (& email addys!)’ is closed to new replies.