Hi,
For some reason my authors and writers can edit comments even though the only priveledges they have are creating entries, commenting, and publishing entries.
I dont want them to have access to editing or delting comments. I have MT 4.12
They also have access to all of the commenters emails which should be private!
I HAD TO DISMISS SOMEONE FOR USING COMMENTERS EMAIL ACCOUNTS TO SEND SPAM!
How do I fix this??
A million thanks in advance for your help...
Full Version: Security And Privacy Concern!
What roles do these people have?
Have you changed any of the roles default permissions?
Also remember that email addresses etc can be accessed directly through the database, who has an account that can access the MT tables?
Who has an FTP account for your web host that can access mt-config.cgi and get database credentials from there?
Have you changed any of the roles default permissions?
Also remember that email addresses etc can be accessed directly through the database, who has an account that can access the MT tables?
Who has an FTP account for your web host that can access mt-config.cgi and get database credentials from there?
OtherNiceMan, I am the only one with DB access.
The only permissions I allowed was create entries and publish entries, but they are able to still go in and see IP addresses, email addresses, edit comments, etc.
Is there any way to prevent them from having this type of acesss?
I think in most cases writers, contributing writers and guest writers wouldn't use that access and information inappropritaely, but in my case it did happen and now I want to make sure that it does not happen again.
I never knew they had access to begin with, I always just assumed that would be an administrators permission only.
Thanks, Joe
The only permissions I allowed was create entries and publish entries, but they are able to still go in and see IP addresses, email addresses, edit comments, etc.
Is there any way to prevent them from having this type of acesss?
I think in most cases writers, contributing writers and guest writers wouldn't use that access and information inappropritaely, but in my case it did happen and now I want to make sure that it does not happen again.
I never knew they had access to begin with, I always just assumed that would be an administrators permission only.
Thanks, Joe
One more thing, when I had 3.2, the comment entry form had the fields; name, email, url, comment.
Next to the email field entry text box it said in parenthesis (email will not be published)
I always assumed it meant that the email addresses people entered was being encrypted in some way. But I guess I was wrong in that assumption.
Is there anyway that can be done, if it's not possible to disallow comment editing for permissions "creating entries" and "publishing entries"?
Thanks again,
Joe
Next to the email field entry text box it said in parenthesis (email will not be published)
I always assumed it meant that the email addresses people entered was being encrypted in some way. But I guess I was wrong in that assumption.
Is there anyway that can be done, if it's not possible to disallow comment editing for permissions "creating entries" and "publishing entries"?
Thanks again,
Joe
QUOTE (joed86 @ Jul 21 2008, 04:07 PM) 
OtherNiceMan, I am the only one with DB access.
The only permissions I allowed was create entries and publish entries, but they are able to still go in and see IP addresses, email addresses, edit comments, etc.
Is there any way to prevent them from having this type of acesss?
I think in most cases writers, contributing writers and guest writers wouldn't use that access and information inappropritaely, but in my case it did happen and now I want to make sure that it does not happen again.
I never knew they had access to begin with, I always just assumed that would be an administrators permission only.
Thanks, Joe
The only permissions I allowed was create entries and publish entries, but they are able to still go in and see IP addresses, email addresses, edit comments, etc.
Is there any way to prevent them from having this type of acesss?
I think in most cases writers, contributing writers and guest writers wouldn't use that access and information inappropritaely, but in my case it did happen and now I want to make sure that it does not happen again.
I never knew they had access to begin with, I always just assumed that would be an administrators permission only.
Thanks, Joe
And you are the only one with FTP Access
As a test I created a new user, I did not give them any of the system permissions on the user profile page.
Under permissions I granted them the Author role only for the blog.
I then log in as the author and I can see the pending comments but I can not access author details like email address for MT accounts.
QUOTE (joed86 @ Jul 21 2008, 04:13 PM)
One more thing, when I had 3.2, the comment entry form had the fields; name, email, url, comment.
Next to the email field entry text box it said in parenthesis (email will not be published)
I always assumed it meant that the email addresses people entered was being encrypted in some way. But I guess I was wrong in that assumption.
Is there anyway that can be done, if it's not possible to disallow comment editing for permissions "creating entries" and "publishing entries"?
Thanks again,
Joe
Next to the email field entry text box it said in parenthesis (email will not be published)
I always assumed it meant that the email addresses people entered was being encrypted in some way. But I guess I was wrong in that assumption.
Is there anyway that can be done, if it's not possible to disallow comment editing for permissions "creating entries" and "publishing entries"?
Thanks again,
Joe
email will not be published means that it will be published on the page.
Hi,
They have no FTP access either.
I signed in as one of my writers. Before I signed in I made sure he had no systems permissions.
His role as writer only allows creating entries and publishing entries.
When I signed in, the sidebar widget shows the number of entries he has written and the number of comments on his entries.
If you click on the comments links it says permission denied. However if you click on the number of entries, it takes you to a listing of all entries he published.
[img]http://i81.photobucket.com/albums/j225/metsmerized/Misc%20Stuff/commentsss.jpg[/img]
He can the click on any entry and he gets the above screen where he can edit OR reply to comments.
He can then hit edit which brings him to the following screen...
[img]http://i81.photobucket.com/albums/j225/metsmerized/Misc%20Stuff/ss2.jpg[/img]
He can see all the info of the person who left that comment.
I hope this helps illustrate the problem a little clearer.
Thanks so much for your assistance, I really appreciate your time and effort.
Joe
They have no FTP access either.
I signed in as one of my writers. Before I signed in I made sure he had no systems permissions.
His role as writer only allows creating entries and publishing entries.
When I signed in, the sidebar widget shows the number of entries he has written and the number of comments on his entries.
If you click on the comments links it says permission denied. However if you click on the number of entries, it takes you to a listing of all entries he published.
[img]http://i81.photobucket.com/albums/j225/metsmerized/Misc%20Stuff/commentsss.jpg[/img]
He can the click on any entry and he gets the above screen where he can edit OR reply to comments.
He can then hit edit which brings him to the following screen...
[img]http://i81.photobucket.com/albums/j225/metsmerized/Misc%20Stuff/ss2.jpg[/img]
He can see all the info of the person who left that comment.
I hope this helps illustrate the problem a little clearer.
Thanks so much for your assistance, I really appreciate your time and effort.
Joe
Yes it is clearer.
Further test has shown that I can only edit comments on posts I have authored, so I can only see the email address for those.
Further test has shown that I can only edit comments on posts I have authored, so I can only see the email address for those.
QUOTE (OtherNiceMan @ Jul 21 2008, 05:23 PM)
Yes it is clearer.
Further test has shown that I can only edit comments on posts I have authored, so I can only see the email address for those.
Further test has shown that I can only edit comments on posts I have authored, so I can only see the email address for those.
Is there a way to prevent comment editing for anyone other than an admin?
Not without a plug-in (I don't of one off-hand) or hacking some of the system templates, then general assumption is that authors are trustworthy enough to manage their own traffic.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.