Skip to content

Fix lesson comments being visible to unregistered users in some cases #7848

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
m1r0 merged 2 commits into from
Dec 10, 2025
Merged

Fix lesson comments being visible to unregistered users in some cases #7848

m1r0 merged 2 commits into from
Dec 10, 2025
+21 −2

Conversation

@m1r0
Copy link
Member

@m1r0 m1r0 commented Sep 16, 2025
edited
Loading

Reported in 10207255-zd-a8c
Discussion 10207255-zd-a8cp1757609717205269-slack-C07418EJ0

Proposed Changes

This PR disables the lesson comments for users who are unregistered or don't have access to the lesson. This is only a case when Learning Mode is off and the theme supports Full Site Editing.

Testing Instructions

  1. Disable learning mode.
  2. Activate a Full Site Editing theme, e.g., Course.
  3. Create e course with lessons and add a comment to one of the lessons.
  4. Make sure the comment is not visible to unregistered users or ones who don't have access.

Pre-Merge Checklist

  • PR title and description contain sufficient detail and accurately describe the changes
  • Adheres to coding standards (PHP, JavaScript, CSS, HTML)
  • All strings are translatable (without concatenation, handles plurals)
  • Follows our naming conventions (P6rkRX-4oA-p2)
  • Hooks (p6rkRX-1uS-p2) and functions are documented
  • New UIs are responsive and use a mobile-first approach
  • Code is tested on the minimum supported PHP and WordPress versions

@m1r0 m1r0 self-assigned this Sep 16, 2025
@m1r0 m1r0 changed the title Fix lesson comments being visible in some cases Fix lesson comments being visible to unregistered users in some cases Sep 16, 2025
@m1r0 m1r0 added this to the 4.25.1 milestone Sep 16, 2025
@m1r0 m1r0 marked this pull request as ready for review September 17, 2025 14:20
Copilot AI review requested due to automatic review settings September 17, 2025 14:20
Copilot AI reviewed Sep 17, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a security issue where lesson comments were visible to unregistered users or users without lesson access when using Full Site Editing themes with Learning Mode disabled. The fix introduces proper permission checking before displaying comments.

  • Replaces boolean theme/post-type checks with user permission validation
  • Adds new method to centralize comment visibility logic
  • Ensures comments are only shown to users who can view the lesson

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
includes/unsupported-theme-handlers/class-sensei-unsupported-theme-handler-cpt.php Implements permission-based comment visibility control by replacing theme checks with user access validation
changelog/fix-lesson-comments-visible-to-unregistered-users Documents the security fix in the changelog

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@m1r0 m1r0 requested a review from donnapep September 17, 2025 14:43
@m1r0
Copy link
Member Author

m1r0 commented Sep 17, 2025
edited
Loading

@donnapep, could you please give this one a look and tell me if it makes sense? I'm somewhat concerned that I might be fixing something that is a feature for some users.

@m1r0 m1r0 modified the milestones: 4.25.1, 4.25.2 Sep 24, 2025
@donnapep
Copy link
Contributor

donnapep commented Dec 7, 2025
edited
Loading

This was the issue I was thinking of related to comments - #2192. I didn't test, but if the scenario described in that PR still works, then this change seems fine.

@m1r0
Copy link
Member Author

m1r0 commented Dec 10, 2025

I just checked, and the lesson preview scenario still works as expected with this change. Appreciate the feedback, Donna! 🙇

@m1r0 m1r0 merged commit a0b2f73 into trunk Dec 10, 2025
23 checks passed
@m1r0 m1r0 deleted the fix/lesson-comments-visible-to-unregistered-users branch December 10, 2025 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@donnapep donnapep Awaiting requested review from donnapep

Assignees

@m1r0 m1r0

Labels

None yet

Projects

None yet

Milestone

4.25.2

Development

Successfully merging this pull request may close these issues.

3 participants

@m1r0 @donnapep