[wp-trac] [WordPress Trac] #6662: Users without capability
"create_users" can add new users
WordPress Trac
wp-trac at lists.automattic.com
Thu Apr 10 13:16:12 GMT 2008
#6662: Users without capability "create_users" can add new users
---------------------------+------------------------------------------------
Reporter: imwebgefunden | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.5.1
Component: Security | Version: 2.5
Severity: normal | Keywords:
---------------------------+------------------------------------------------
If a user has the capability "edit_users" and not the capability
"create_users" he can add new users.
The defect is in admin-ajax.php. The check is against "edit_users" and not
"create_users". I've attached a patch to fix this issue.
A second one - more an AddOn and not an defect: We should show the add
user form only if the current user has the capability to add a new user.
If the current user has the capability "create_users" the form will be
shown. The second patch I attached make this job.
--
Ticket URL: <http://trac.wordpress.org/ticket/6662>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list