[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged
WordPress Trac
noreply at wordpress.org
Sun Apr 27 22:40:02 UTC 2025
#43936: Settings: Warn when open registration and new user default is privileged
-------------------------------------------------+-------------------------
Reporter: kraftbj | Owner: audrasjb
Type: feature request | Status: accepted
Priority: normal | Milestone: 6.9
Component: Security | Version:
Severity: normal | Resolution:
Keywords: needs-user-docs changes-requested | Focuses:
early | administration
-------------------------------------------------+-------------------------
Changes (by SirLouen):
* keywords: has-patch needs-user-docs needs-testing changes-requested
early => needs-user-docs changes-requested early
Comment:
== Combined Issue Reproduction and Patch Test Report
=== Description
❌ This report can't completely validate the indicated patch works as
expected.
Patch tested: https://github.com/WordPress/wordpress-
develop/pull/5893.diff
=== Environment
- WordPress: 6.9-alpha-60093-src
- PHP: 8.2.28
- Server: nginx/1.27.5
- Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
- Browser: Chrome 135.0.0.0
- OS: Windows 10/11
- Theme: Twenty Twenty-Five 1.2
- MU Plugins: None activated
- Plugins:
* Test Reports 1.2.0
=== Issue Reproduction
1. In Settings > General
2. New User Default Role
3. 🐞 Without the patch, Administrator Role can be assigned without
trouble
=== Expected Results
- Administration role can't be assigned by default
- Any administration capability-based role, should not be able to be
assigned by default (or at least the patch should include extensibility
options to include such new roles, with a hook or whatever)
=== Actual Results
1. ✅ With the patch, Admin and Editor (why Editor?) don't appear in the
list
2. ❓ How can you reproduce the Health check if Admin is removed?
3. ❌ Other roles with admin-level capabilities can be included
=== Additional Notes
1. More than limiting by roles, as @davidbaumwald suggests, the important
thing here is to limit by capabilities, for example, if a role has
`manage_options` it should not be able to be assigned by default. Refer to
[https://wordpress.org/documentation/article/roles-and-capabilities/ Roles
and Capabilities] for more information.
2. Although, on the other side, the problem with referring to
capabilities, is that, if tomorrow, there is a very relevant and
"dangerous for any malicious attacker" capability released, who will
remember to include this? I have not gone deep in the code, but I wonder
if there is a "pack" of capabilities by levels, somewhere in the code (for
example, array of administrator default capabilities). In that case, just
by doing an `array_intersect` between the Custom Role and the Admin Role
and in case the result is not empty, then add this role to the list of
hindered roles.
3. As I said, which are the testing steps to reproduce the Health Check if
the Admin is removed by default?
4. Finally, a somewhat fun topic:
Replying to [comment:58 benniledl]:
> === Actual Results
> 1. ✅ Administrator was not an option to select in the options-general
page
> 2. ✅ Site health check displayed correctly when insecure configuration
was found
How did you get to the idea of testing your own patch? I assume that there
are so few testers that one ends with the urge of testing oneself, just to
try to push a patch forward at all costs 🤦♂️ I've been tempted with some
patches [https://core.trac.wordpress.org/ticket/63135 like this one], ngl.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43936#comment:69>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list