[wp-trac] Re: [WordPress Trac] #6908: Creating new users role - a
security risk?
WordPress Trac
wp-trac at lists.automattic.com
Tue May 6 00:42:39 GMT 2008
#6908: Creating new users role - a security risk?
--------------------------------------+-------------------------------------
Reporter: CrazySerb | Owner: anonymous
Type: defect | Status: new
Priority: normal | Milestone: 2.7
Component: Security | Version: 2.5.1
Severity: normal | Resolution:
Keywords: user roles, group levels |
--------------------------------------+-------------------------------------
Comment (by DD32):
Replying to [comment:1 Otto42]:
> Allowing users to edit users higher than themselves does indeed not make
much sense, however the user level number idea is deprecated/not used
anymore. Perhaps some way to define an order on the Roles, thus allowing
it to determine which roles are above other roles?
This was discussed on another ticket/mailing list, i cant remember where.
The idea which was suggested that made most sense to me was that users
should not be able to create a user with a capability they themselves do
not have, so if they do not have the manage_options capability, they
should not be able to create a user who would have the manage_options cap.
And a similar route for editing users.
--
Ticket URL: <http://trac.wordpress.org/ticket/6908#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list