[wp-hackers] Critical WP Flaw?
Jamie Holly
hovercrafter at earthlink.net
Thu Jul 27 13:12:55 GMT 2006
> Saying so here won't make much of a dent in changing that. I've never
> heard of current_user_can(), either, along with, apparently, a lot of
> other plugin devs. This would lead me to believe there is a failure in
> documentation which should probably also be addressed along with this
> security vulnerability, if this is so important.
>If you're relying on the cap/level check provided when you register a
>menu/submenu, that will cover most plugins. There is indeed a bug in
>2.0.3 that breaks this check in some cases. 2.0.4 beta fixes this. If
>you don't register a menu and don't do a level or cap check, your plugin
>is vulnerable.
>Personally, I never really meant the menu cap check to be relied upon
>quite so heavily. It was offered as a convenience thing for simple
>plugins. I use current_user_can() in my plugins.
>current_user_can() is the heart of the capability system.
>http://codex.wordpress.org/Roles_and_Capabilities
>Looks like we need to do a better job of documenting with regard to
>plugin development.
>Ryan
I couldn't agree more. It took me some time before I really found out about
the current_user_can() and once I found it life was much easier. The role
capabilities plugin makes using this feature extra nice. I would almost like
to see some sort of role manager placed into the WP core and even more roles
added (like a can_moderate_comments).
The user roles and capabilities should be used in all plugins requiring
access checks, but I got a feeling many people either a) don't know about it
or b) shy away because you need a plugin to really set user capabilities.
Jamie Holly
http://www.intoxination.net
-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Ryan Boren
Sent: Thursday, July 27, 2006 6:04 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Critical WP Flaw?
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 7/26/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.4/401 - Release Date: 7/26/2006
More information about the wp-hackers
mailing list