[wp-trac] Re: [WordPress Trac] #2775: Ability for all users to add
users of lesser cabable roles
WordPress Trac
wp-trac at lists.automattic.com
Fri Jun 2 22:42:43 GMT 2006
#2775: Ability for all users to add users of lesser cabable roles
----------------------------+-----------------------------------------------
Id: 2775 | Status: new
Component: Administration | Modified: Fri Jun 2 22:42:43 2006
Severity: enhancement | Milestone:
Priority: normal | Version: 2.1
Owner: anonymous | Reporter: doit-cu
----------------------------+-----------------------------------------------
Comment (by doit-cu):
After thinking about it, I agree. I think the best way to approach this
would be maybe more of a bugfix. Users who have the edit_user capability
shouldn't be able to edit users who's capabilities are not a proper subset
of the editing user's capabilities. True, you don't have to worry about
this in the default installation. Instead of enabling this as a feature,
why not fix that piece and then people who manage their roles outside the
default are protected from that kind of vulnerability. I don't think I'm
alone here- there are plugins for role managment if I remember correctly.
This is looking like it won't be too terrible to code up. Basically it
involves adding a capabilities comparison function to the WP_Roles class
and a few extra checks in addition to the current
if(!current_user_can('edit_users')) deal.
Thoughts?
--
Ticket URL: <http://trac.wordpress.org/ticket/2775>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list