[wp-trac] Re: [WordPress Trac] #6014: Users given the 'edit_users' capability can alter and create new users above their user level.

[WordPress Trac]

#6014: Users given the 'edit_users' capability can alter and create new users
above their user level.
--------------------------+-------------------------------------------------
 Reporter:  jeremyclarke  |        Owner:  pishmishy
     Type:  defect        |       Status:  assigned 
 Priority:  normal        |    Milestone:  2.6      
Component:  Security      |      Version:           
 Severity:  major         |   Resolution:           
 Keywords:                |  
--------------------------+-------------------------------------------------
Comment (by jeremyclarke):

 Actually, the role manager plugin already has a 'manage roles' cap in the
 newest version (which i didn't have yet), so you can have only admins be
 able to individually modify capabilities or modify roles globally, which
 makes sense.

 Looking into the situation I found that one can control the display of the
 edit links on the users.php screen using a filter on user_has_cap, which
 is run near the end of current_user_can. It turns out that when it prints
 the user editing links (on their username in 2.5) it actually does the
 check with the edited user's id, i.e.

 {{{
  if (current_user_can('edit_user', $user_id)) {}
 }}}

 As of now, the only thing it does with the user_id is make sure it's not
 the same as the logged in user (so that you dont "edit yourself" but
 instead "modify your profile"). I coded up an example plugin that hooks
 into that filter and returns false  if the edited user has any
 capabilities that the logged-in user doesnt (as I described above). I
 think your'e right that this might as well be part of the plugin (i'm
 going to get in touch with the current maintainer about it).

 The one change that still needs to happen in core is to the
 wp_dropdown_roles() function, which needs to have a filter installed on
 the $wp_roles->role_names so that  innapropriate ones can be removed by a
 plugin (In my example plugin I compare all caps as described above but you
 could have an option or code if differently if you wanted). It's not quite
 done but here's the function I have so far if anyone has input (from /wp-
 admin/includes/template.php ~line 900 ):

 {{{
 function wp_dropdown_roles( $default = false ) {
         global $wp_roles;

         // filter the roles to remove ones the logged-in user shouldn't
         // be able to apply to others, or whatever other filters people
         // might want.
         $filtered_roles = apply_filters('wp_role_listing', $wp_roles);

         $r = '';
         foreach( $filtered_roles->role_names as $role => $name ) {
                 $name = translate_with_context($name);
                 if ( $default == $role ) // Make default first in list
                         $p = "\n\t<option selected='selected'
 value='$role'>$name</option>";
                 else
                         $r .= "\n\t<option value='$role'>$name</option>";
         }
         echo $p . $r;
 }
 }}}

 The other thing I still have to do is replace the dropdown menu which is
 hardcoded in user-edit.php with one generated by the plugin above so that
 it can be filtered also.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/6014#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software