Changeset 9329

Timestamp:

12/11/2019 04:47:31 PM (5 years ago)

Author:

iandunn

Message:

O2 Follow: Add warning about using data in other contexts.

File:

• sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/class-o2-follow.php (modified) (2 diffs)

sites/trunk/wordpress.org/public_html/wp-content/mu-plugins/pub/class-o2-follow.php

@@ -17 +17 @@
 
     // Use the old p2 meta key, for backwards compatibility.
+    // Warning: Be careful using this in other contexts. See `subscribe_to_comments()` for details.
     const USER_META_KEY = 'jpflfp2_posts_following';
 
@@ -311 +312 @@
         $subscribed_ids   = array_unique( $subscribed_ids );
 
+        /*
+         * Warning: Be careful when using this data in any other context. It's not indexed by blog ID, so there's
+         * no way to know which post it actually refers to.
+         *
+         * For example, if you were to use it to email comment notifications to followers of a private post, you
+         * would also be emailing followers of posts on other sites which happened to have the same post ID, and
+         * would expose any sensitive information in those comments to random people who otherwise wouldn't have
+         * access to it.
+         */
         update_user_meta( $current_user->ID, self::USER_META_KEY, $subscribed_ids );
     }