[wp-hackers] "commenter" user role

Stephen Rider wp-hackers at striderweb.com
Mon Mar 8 14:02:03 UTC 2010


On Mar 7, 2010, at 6:17 PM, Mike Schinkel wrote:

> You are unnecessarily conflating "has a record in wp_users" with "having registered as a user."  Commenters would not be registered users, they would have a record in the wp_users table, nothing more.

Hmm.  Yup -- I guess I did do that.  I stand corrected.

> The problem with elevation of privilege is that you let them login at all; put multiple checks in place to ensure they can't login then this becomes a non-issue.

> Please address how incorporating multiple checks doesn't resolve the situation?


I guess the risk is the potential for bugs in those checks, or missing a check somewhere.

I remember (a while back - I'm sure things have changed a bit by now) somebody describing the difference between security in Unix vs Windows, and what it came down to was that in Unix, by default a user can do nothing, and the admin adds rights; in Windows by default a user can do *everything* and the admin takes rights away.

When you talk about putting in checks against somebody doing things, it sounds a lot like the "Windows" model above.

So... if we do put commenters in the wp-users table, I want to be sure we do it with a mind toward hardening WP to assume that a given person *can't* do *anything* unless given permission.  Also keep in mind that many plugin are (right or wrong) not coded with security in mind, and again it's best if people can't do things unless explicitly given permission.

Anyway... having said that, I'll drop my objection to putting commenters in wp-users.  You distinction between being in the table and being registered is a good one.

> On Mar 6, 2010, at 11:17 PM, Ptah Dunbar wrote:
>> I raised that issue about core post types not using the show_ui argument so if one decides to remove them, Posts,  Pages, and Media would disappear from the UI.
> 
>> Outside of that, I disagree that the core post types are really that hardcoded into WP; and if so, then that's probably a bug which you should file a new ticket for.
> 
> You are missing the point.  It's not whether or not they are too hardcoded, it's the fact that without being able to remove them few people are ever going to test the edge cases.

I think you argue against yourself.  It should be the default AND it's an "edge case"?  If so many people want to get rid of posts and pages that it should be the default, then surely these will be tested.

Make it possible to remove then via filter?  Great.  Remove them by default?  No.

Ptah is right -- if and where they are hard-coded, those are simply bugs to be fixed.

> Why would you have an issue with them being default canonical plugins?  I can't see any downside to that.

Because we want to keep it very easy for Joe User to put up his blog.  Non techie people don't want to mess with plugins as readily as dev types.

How about a canonical plugin that allows you to manipulate post types -- including removing default ones?

Stephen


More information about the wp-hackers mailing list