[wp-trac] Re: [WordPress Trac] #8770: Add role filtering to user editing code to secure edit_users capabiltity (security)

WordPress Trac wp-trac at lists.automattic.com
Tue Jan 6 17:28:12 GMT 2009


#8770: Add role filtering to user editing code to secure edit_users capabiltity
(security)
--------------------------------------------------+-------------------------
 Reporter:  jeremyclarke                          |        Owner:  jeremyclarke
     Type:  defect (bug)                          |       Status:  new         
 Priority:  normal                                |    Milestone:  2.8         
Component:  Security                              |      Version:              
 Severity:  normal                                |   Resolution:              
 Keywords:  has-patch capabilities needs-testing  |  
--------------------------------------------------+-------------------------
Comment (by ryan):

 Should get_editable_roles() return an empty array if the user can't
 edit_users?  The change to wp-admin/users.php seems like it would allow
 promoting to any role even without edit_users.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/8770#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list