[wp-trac] [WordPress Trac] #24169: WP_Customize_Manager loads the current user too early
    WordPress Trac 
    noreply at wordpress.org
       
    Mon Jul  8 20:32:08 UTC 2013
    
    
  
#24169: WP_Customize_Manager loads the current user too early
-----------------------------+-----------------------------
 Reporter:  johnjamesjacoby  |       Owner:
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Future Release
Component:  Themes           |     Version:  3.4
 Severity:  major            |  Resolution:
 Keywords:  has-patch        |
-----------------------------+-----------------------------
Changes (by nacin):
 * milestone:  3.6 => Future Release
Comment:
 So the problem with doing cap checks later on is that the theme has
 already been given a chance to load by this point. Even though we
 eventually die, the very act of including a theme's functions.php when the
 user is unable to switch_themes can be considered privilege escalation.
 Unfortunately we *need* to do cap checks here before we actually load the
 theme. I'm happy to consider some adjustments for it to work better with
 the very valid concerns you mentioned. But for the moment, status quo
 prevails.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24169#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
    
    
More information about the wp-trac
mailing list