[wp-trac] [WordPress Trac] #24169: WP_Customize_Manager loads the current user too early
WordPress Trac
noreply at wordpress.org
Mon Jul 8 20:32:08 UTC 2013
#24169: WP_Customize_Manager loads the current user too early
-----------------------------+-----------------------------
Reporter: johnjamesjacoby | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: Themes | Version: 3.4
Severity: major | Resolution:
Keywords: has-patch |
-----------------------------+-----------------------------
Changes (by nacin):
* milestone: 3.6 => Future Release
Comment:
So the problem with doing cap checks later on is that the theme has
already been given a chance to load by this point. Even though we
eventually die, the very act of including a theme's functions.php when the
user is unable to switch_themes can be considered privilege escalation.
Unfortunately we *need* to do cap checks here before we actually load the
theme. I'm happy to consider some adjustments for it to work better with
the very valid concerns you mentioned. But for the moment, status quo
prevails.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24169#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list