[wp-trac] [WordPress Trac] #6566: custom-built roles can create
administrator users
WordPress Trac
wp-trac at lists.automattic.com
Thu Apr 3 09:18:03 GMT 2008
#6566: custom-built roles can create administrator users
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.5.1
Component: Security | Version: 2.5
Severity: minor | Keywords:
-------------------------------+--------------------------------------------
If you create a custom role using the role manager, and let that role edit
options for any reasons (e.g. you want to set up some kind of demo site),
then users with that role can open registrations, and assign administrator
as the default role, then let themselves in as administrator.
Fix:
{{{
function default_role($o)
{
if ( $o == 'administrator' &&
get_option('users_can_register') )
{
global $wp_roles;
foreach ( $wp_roles->role_names as $role => $name
)
{
if ( $role != 'administrator' )
{
$o = $role;
add_action('shutdown',
create_function('', "update_option('default_role', '$role');"));
break;
}
}
}
return $o;
} # default_role()
add_filter('option_default_role', 'default_role');
}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/6566>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list