[wp-trac] Re: [WordPress Trac] #6014: Users given the 'edit_users'
capability can alter and create new users above their user level.
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 12 17:47:56 GMT 2008
#6014: Users given the 'edit_users' capability can alter and create new users
above their user level.
--------------------------+-------------------------------------------------
Reporter: jeremyclarke | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.6
Component: Security | Version:
Severity: major | Resolution:
Keywords: |
--------------------------+-------------------------------------------------
Comment (by pishmishy):
I'm not sure this can be fixed as you describe. It requires roles to have
a clear ordering imposed on them, that Administrator > Editor > ... >
Subscriber. This is something that we're trying to move away from as we
transition from access levels to roles and capabilities. What may seem
like an intuitive ordering of roles may not be expected by others
(especially those using this "role manager" plugin).
My recommendation is that any tool which allows the assigning of the
edit_user capability to a user, or role, to make the consequences of that
action very clear. The documentation in the codex should also make this
clear.
I hope that doesn't sound like I'm brushing aside the issue but I'm
reluctant to consider a solution that looks at particular roles as being
higher or lower than others.
--
Ticket URL: <http://trac.wordpress.org/ticket/6014#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list