[wp-trac] Re: [WordPress Trac] #6014: Hook needed on wp_dropdown_roles() to secure 'edit_users' capability (see last comment)

WordPress Trac wp-trac at lists.automattic.com
Thu Apr 10 22:39:12 GMT 2008 

#6014: Hook needed on wp_dropdown_roles() to secure 'edit_users' capability (see
last comment)
--------------------------+-------------------------------------------------
 Reporter:  jeremyclarke  |        Owner:  pishmishy
     Type:  defect        |       Status:  assigned 
 Priority:  normal        |    Milestone:  2.6      
Component:  Security      |      Version:           
 Severity:  major         |   Resolution:           
 Keywords:  has-patch     |  
--------------------------+-------------------------------------------------
Comment (by dpe415):

 After talking with Jeremy Clarke about the functionality he discuses in
 this article, it would appear that I've found a related issue with WP
 roles & creating users.  below are the details of an email I sent to
 Jeremy, outline the issue I've discovered:

 ----

 I'm running WP 2.3.3 and the Role Manager plugin version 2.2.1.  With Role
 Manager, I have given Editors the capability to Edit users, but not create
 new ones or delete existing ones.  Plainly stated, the delete restriction
 works great.  But no matter what I try Editors can still add new users of
 any Role including Administrator (which defeats the whole point of having
 separate Roles--an Editor can create their own Administrator account!).

 I’ve dug into the WP core code a bit and it appears to me that the check
 that prevents Editors from being deleted is located in \wp-admin\users.php
 at or around line 161 and includes this:
 {{{
       if ( !current_user_can('delete_users') )
             wp_die(__('You can’t delete users.'));
 }}}

 When an Editor tries to delete any user, they end up getting being told
 that they can't delete users.  Perfect.  Everything functions great.

 The same check is (supposedly) performed when adding users as well.  It is
 located at or around line 257 and includes this:
 {{{
       if ( !current_user_can('create_users') )
             wp_die(__('You can’t create users.'));
 }}}

 However, this check never seems to fire when an Editor tries to create a
 user.  It would seem that the create_users capability check isn't
 functioning properly.  Which allows Editors to create users even though
 they don't have that capability assigned to them.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6014#comment:9>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list