[wp-trac] [WordPress Trac] #12693: Inaccurate user role filtering
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 24 21:37:30 UTC 2010
#12693: Inaccurate user role filtering
--------------------------+-------------------------------------------------
Reporter: johnbillion | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Unassigned
Component: Users | Version: 2.9.2
Severity: minor | Keywords:
--------------------------+-------------------------------------------------
When filtering users by role from the Users screen, the SQL query that
filters users by role can return inaccurate results if a plugin has added
custom user capabilities.
For example, when filtering users with a role of Editor, the query joins
the usermeta table and adds this WHERE clause:
{{{
WHERE wp_usermeta.meta_key = 'wp_capabilities'
AND wp_usermeta.meta_value LIKE '%editor%'
}}}
If a plugin has added a new user capability such as 'manage_editors' then
any user with this capability will show up in this list, regardless of
their role, because their capabilities will contain the string
'manage_editors' which is matched by the query. The `LIKE '%editor%'` bit
is the problem.
This is simple to fix. We'll just add double quotes around the role name
in the query, and this will force it to match just the role name (which is
stored in the database as a serialzed string, and is therefore wrapped in
double quotes).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12693>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list