[wp-trac] [WordPress Trac] #40230: Is it intended to return 500 for this message: You can't give users that role. or Sorry, you are not allowed to give users that role.
WordPress Trac
noreply at wordpress.org
Wed Mar 22 06:18:17 UTC 2017
#40230: Is it intended to return 500 for this message: You can't give users that
role. or Sorry, you are not allowed to give users that role.
--------------------------+-----------------------------
Reporter: tuanmh | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 4.6.4
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
Hey there,
We've performed some hacking tests on our system, basically it tries to
change role of an user to higher level (e.g. editor to administrator) by
using a non-authorised user. We got the message:
"You can’t give users that role." in 4.6.x or "Sorry, you are not
allowed to give users that role." in 4.7 as expected but the HTTP status
returned is 500.
Should we return 403 instead of 500? Is it intended?
It has caused false alerts on our system as every time we perform the
tests, we got alerts through email - which could easily cause oversights
to actual 500 errors.
This should be an easy fix:
- wp-admin/includes/user.php line 62
- wp-admin/users.php line 113
- wp-admin/network/site-users.php line line 143
There are other permission's related messages which should return 403 as
well.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/40230>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list