[wp-trac] [WordPress Trac] #8761: update wp_dropdown_roles() with a filter to limit displayed rolenames (security)

WordPress Trac wp-trac at lists.automattic.com
Tue Dec 30 20:58:28 GMT 2008


#8761: update wp_dropdown_roles() with a filter to limit displayed rolenames
(security)
--------------------------+-------------------------------------------------
 Reporter:  jeremyclarke  |       Owner:  jeremyclarke                        
     Type:  defect (bug)  |      Status:  new                                 
 Priority:  normal        |   Milestone:  2.8                                 
Component:  Security      |     Version:                                      
 Severity:  normal        |    Keywords:  has-patch capabilities needs-testing
--------------------------+-------------------------------------------------
 For history see: #6014

 I'm updating that patch so it can be added to 2.8, but i'm splitting up
 the various parts so they can be added more easily.

 Part 1 was #8760, now commited.

 What I want (same as #8760): To add security to the capabilities system
 because right now edit_users can't be delegated to non-admins (in our case
 our content editors). If someone has 'edit_users' they can make themself
 admin because nothing stops them from editing themselves or others to be
 admin. I think it should be integrated into core but don't care enough to
 fight. It can be done with a plugin so my priority is to make sure that my
 plugin (and Role Manager plugin) can hook into the appropriate places and
 add a role comparison such that wp only lets people edit users/roles
 "lower" than them (i.e. users that don't have any powers that the editor
 don't have).

 This specific patch is to allow plugins to control the list of roles used
 in dropdown menus. The menus i'm talking about are displayed at the top of
 the users.php user list, as well as in the edit-user.php user editing page
 (i will write a patch to make that happen, user-edit.php is currently
 duplicating the logic already present in wp_dropdown_roles). They have a
 list of all roles and you choose a new role and save (on users.php you do
 this by checking the checkbox next to a user, changing hte role dropdown,
 then saving).

 Currently, these menus just show every role available on the site, with
 the result that an 'Editor', if given the 'edit_users' privilege, is able
 to check the box next to their name, select 'administrator' from the
 dropdown then save, giving them administrator privileges.

 The main change in the patch is to add_filter('role_names_listing',
 $role_names), giving plugins a chance to remove undesirable/innapropriate
 entries from the list. This allows my plugin code to assess which roles
 the current logged-in user should be able to edit, and hide the others so
 they can't be used. In conjunction with hiding checkboxes for other users
 they aren't allowed to edit, this will remove the ability of malicious
 users to promote themselves above their current level.

 I also added some phpdoc for this function, feedback about that welcome. I
 also changed the label for the parameter $default to be called $selected,
 as it defines which element in the list will be selected initially and
 $default is a bit too generic for my taste.

 Feedback about the patch welcome.

 The plugin code to make this work can be found here:
 http://www.pastie.org/349208

 Note that to see my patch in action you will need to run that plugin code
 as well as have a non-admin user with the edit_users cap (install and use
 Role Manager plugin to do that). Log in as the non-admin with edit_users
 and go to the user listing page, you'll notice that 'administrator' is no
 longer on the dropdown list.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/8761>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list