[wp-trac] [WordPress Trac] #16860: map_meta_cap use "manage_network_users" instead of is_super_admin for edit_users
WordPress Trac
noreply at wordpress.org
Fri Aug 21 06:33:03 UTC 2015
#16860: map_meta_cap use "manage_network_users" instead of is_super_admin for
edit_users
-------------------------------------+-------------------------------------
Reporter: sboisvert | Owner: jeremyfelt
Type: enhancement | Status: reviewing
Priority: normal | Milestone: 4.4
Component: Users | Version:
Severity: normal | Resolution:
Keywords: has-patch needs-codex | Focuses: administration,
needs-unit-tests | multisite
-------------------------------------+-------------------------------------
Changes (by jeremyfelt):
* keywords: has-patch needs-codex commit => has-patch needs-codex needs-
unit-tests
Comment:
I'll take back some of what I said previously. Let's focus on
`edit_user`/`edit_users` only for this ticket. We can cover create and
delete elsewhere. I want to make sure we focus on what this changeset will
be doing.
There's a security concern with the current patch in that any user given
the `manage_network_users` capability can also manage super admins,
including their passwords. Once that's changed...ouch.
We can check the specific user ID that is passed into `map_meta_cap()` and
bail if that user ID itself is a super admin. I've done this in
[https://core.trac.wordpress.org/attachment/ticket/16860/16860.diff
16860.diff], though the conditional is pretty crazy.
I'd like to have unit tests attached to this as well. We'll get this in,
but it definitely needs to be vetted quite a bit. I read through the other
uses of `edit_user` and `edit_users` caps and things seem okay. What other
possible consequences does this have?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16860#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list