[wp-trac] [WordPress Trac] #32985: Grant list_users to Editor, Author and Contributor
WordPress Trac
noreply at wordpress.org
Mon Jul 13 20:49:54 UTC 2015
#32985: Grant list_users to Editor, Author and Contributor
-----------------------------+-----------------------------
Reporter: allendav | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: trunk
Severity: normal | Keywords:
Focuses: administration |
-----------------------------+-----------------------------
Right now, only Admins are given the list_users capability by default.
I'd like to propose that Editors, Authors and Contributors also have
list_users capability by default.
The rationale is that users with those roles would benefit from being able
to browse wp-admin/users.php to be able to identify another user that
could help them with a task they are unable to complete themselves (e.g.
publish a post) in the event their usual contact is unavailable.
Basically this would allow lesser capability users to use things like wp-
admin/users.php as a user directory. It would NOT grant user editing
privilege (that's edit_users capability.)
At first glance, there could be concerns about leaking exploitable
information this way, i.e. identifying administrators as a first step in
an attack, but the roles I am proposing to grant list_users to do not
include the default New User Default Role of Subscriber, so unless the
site owner has elevated that setting, only users explicitly added could
see the user list.
Ref 3.0.0 wp-admin/includes/schema.php populate_roles_300
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32985>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list