[wp-trac] [WordPress Trac] #41059: Prevent `do_not_allow` from being added as a capability
WordPress Trac
noreply at wordpress.org
Thu Jun 15 09:12:47 UTC 2017
#41059: Prevent `do_not_allow` from being added as a capability
-----------------------------+-----------------------------
Reporter: peterwilsoncc | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version:
Severity: normal | Keywords: needs-patch
Focuses: |
-----------------------------+-----------------------------
In meta capabilities, WordPress uses the keyword `do_not_allow` to
indicate a user should be blocked from performing a particular action
([https://core.trac.wordpress.org/browser/tags/4.8/src/wp-
includes/capabilities.php?marks=34-37#L34 code ref]).
`WP_User`, `WP_Role` and `WP_Roles` do not prevent a theme or plugin from
adding `do_not_allow` as a capability. Adding this capability would cause
unexpected behaviour so it should be blocked as a hardening measure.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41059>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list