[wp-trac] Re: [WordPress Trac] #6908: Creating new users role - a
security risk?
WordPress Trac
wp-trac at lists.automattic.com
Wed May 7 14:30:15 GMT 2008
#6908: Creating new users role - a security risk?
--------------------------------------+-------------------------------------
Reporter: CrazySerb | Owner: anonymous
Type: defect | Status: closed
Priority: normal | Milestone:
Component: Security | Version: 2.5.1
Severity: normal | Resolution: duplicate
Keywords: user roles, group levels |
--------------------------------------+-------------------------------------
Changes (by pishmishy):
* status: new => closed
* resolution: => duplicate
* milestone: 2.7 =>
Comment:
It was discussed in #6014, which is identical in principal to this ticket.
To repeat myself, we shouldn't be imposing any ordering on roles:
* An order would be equivalent to the user level numbers (albeit with
different labels). We moved away from this.
* We'd never agree on a default ordering (we leave such things to plugins
if desired by the user).
Problems arise because people aren't informed of the true extent of
'edit_users' capability. I suggested that the authors of plugins who allow
users to mess with capabilities should make it very clear to their users.
I still don't believe it's a WordPress issue (although we could look at
improving our documentation), but I'll hold off closing the other ticket
for risk of upsetting too many people :-)
--
Ticket URL: <http://trac.wordpress.org/ticket/6908#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list