[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged

WordPress Trac noreply at wordpress.org
Tue Jun 4 23:43:34 UTC 2019


#43936: Settings: Warn when open registration and new user default is privileged
--------------------------+------------------------------
 Reporter:  kraftbj       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Users         |     Version:
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  administration
--------------------------+------------------------------

Comment (by dd32):

 #46744 was closed as a duplicate of this, which I agree with.

 The main difference is that this is a warning/only allows selecting safe
 values in the UI, where #46744 focuses on the malicious setting of options
 to bad values through a vulnerability that allows setting of options (of
 which, are common in recent years in plugins).

 Preventing a user selecting a dangerous combination is needed, but it also
 needs to validate that the values in the database are safe to rely upon
 IMHO
 As an example, filter on the default value:
 {{{
 function filter_default_role( $default_role ) {
   // $users_can_register = ....
   if ( $users_can_register && get_role( $default_role )->has_cap(
 'manage_options' /* or other cap deemed useful, `publish_posts` could also
 be used */ ) ) {
     $default_role = 'subscriber'; // Fallback roll for when an unsafe roll
 has ended up in there
   }
   return $default_role;
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43936#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list