[wp-trac] [WordPress Trac] #21425: the 'edit_users' capability also allows 'promote_users'

WordPress Trac wp-trac at lists.automattic.com
Sat Sep 22 10:11:33 UTC 2012 

#21425: the 'edit_users' capability also allows 'promote_users'
-------------------------------------+------------------------------
 Reporter:  ew_holmes                |       Owner:
     Type:  defect (bug)             |      Status:  new
 Priority:  normal                   |   Milestone:  Awaiting Review
Component:  Role/Capability          |     Version:  3.4.1
 Severity:  major                    |  Resolution:
 Keywords:  needs-patch 2nd-opinion  |
-------------------------------------+------------------------------
Changes (by firebird75):

 * cc: autremonde75@… (added)


Comment:

 Thought about it and I think the right way to do it would be to have a
 filter hook available at the top of the profile page that would allow
 plugins to filter out each profile field.

 It would look like this :
 {{{
 $profile_fields = array('email' => "read-write", 'role' => "read-write",
 ...);
 $profile_fields = apply_filters('profile_page_fields',$user_to_edit);

 // then the profile page function would walk through the array to display
 the fields
 foreach ($profilte_fields as $field => $visibility)
 {
     if ($visibility == "read-write")
     // display field with possibility to modify values
     else if ($visibility == "read-only")
     // display field in read-only mode only
 }

 }}}

 This way, plugins could filter out some fields that aren't required by
 unsetting them or modify the visibility to be read-only for some fields.

 The filter would need to be applied also while saving the profile. There,
 the update function shouldn't update removed fields or read-only ones.

 I believe it is important to pass the $user_to_edit to the filter so that
 the filtering function can check which user is to be modified and based on
 that, potentially prevent user privilege elevation or not for example.

 This filter would allow to get rid of all hacks through the buffering
 output filtering that take place in several plugins to remove some fields
 but also to have greater control on what is available to the user or not.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21425#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list