[wp-trac] [WordPress Trac] #19791: can't correctly grant certain capabilities to roles on multisite
WordPress Trac
wp-trac at lists.automattic.com
Wed Mar 21 20:33:51 UTC 2012
#19791: can't correctly grant certain capabilities to roles on multisite
-----------------------------+------------------
Reporter: jtclarke | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.4
Component: Role/Capability | Version: 3.0
Severity: normal | Resolution:
Keywords: has-patch |
-----------------------------+------------------
Comment (by pagesimplify):
@jtclarke - Thanks for posting this bug and patch.
However, I disagree with the solution you posted as quoted below:
[[BR]]
> moving the delete_user and create_user checks -- so that these other
checks are actually allowed to fall through to the default.
[[BR]]
Why allow capability checks for Managing Themes, Plugins, and update_core
to fall through to the default checks? As it stands, these checks do not
automatically fall through to the default case and may result in
unexpected results.
I've submitted an
[http://core.trac.wordpress.org/attachment/ticket/19791/capabilities.php.patch
alternate patch] to simply remove the fall through logic from the two case
match sets below:
'''First Case Match Set: Manage Themes / Plugins / Update Core'''
{{{
case 'update_plugins':
case 'delete_plugins':
case 'install_plugins':
case 'update_themes':
case 'delete_themes':
case 'install_themes':
case 'update_core':
}}}
'''Second Case Match Set: Save Unfiltered HTML'''
{{{
case 'unfiltered_html':
}}}
The First Case Match should not fall through to Second Case Match
(Unfiltered HTML). Likewise, the Second Case Match (Unfiltered HTML)
should not fall through to the next case match sets checking for Deleting
and Creating Users capabilities.
Thanks,
David Carroll
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19791#comment:6>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list