[wp-trac] [WordPress Trac] #20488: DISALLOW_UNFILTERED_HTML improperly controls file edit/modifications

WordPress Trac wp-trac at lists.automattic.com
Thu Apr 19 05:48:15 UTC 2012


#20488: DISALLOW_UNFILTERED_HTML improperly controls file edit/modifications
-----------------------------+-----------------------------------
 Reporter:  nacin            |      Owner:
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  3.4
Component:  Role/Capability  |    Version:
 Severity:  normal           |   Keywords:  has-patch 2nd-opinion
-----------------------------+-----------------------------------
 Apparently DISALLOW_UNFILTERED_HTML is not often used, as doing so also
 accidentally sets various other capabilities to do_not_allow: edit_,
 install_, update_, and delete_ plugins and themes, and update_core.

 On one hand, it could be inferred that disallowing HTML also means you
 want to disallow access to install or modify code. I would agree. However,
 update_core should be excluded from this inference.

 Attached is a unit test (the constant does not break any other tests, so
 it appears) and a patch. If we decide that only update_core should be
 excluded, the patch will be a bit simpler.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/20488>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list