[wp-trac] [WordPress Trac] #45070: Entire Media Library & permissions available to subscribers by accessing wp-admin as a subscbriber only.
WordPress Trac
noreply at wordpress.org
Wed Oct 10 13:36:43 UTC 2018
#45070: Entire Media Library & permissions available to subscribers by accessing
wp-admin as a subscbriber only.
-----------------------------+----------------------
Reporter: tamramc | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: General | Version: 4.9.8
Severity: major | Resolution: invalid
Keywords: has-screenshots | Focuses:
-----------------------------+----------------------
Comment (by tamramc):
Replying to [comment:1 johnbillion]:
> Hi @tamramc! It sounds like you've made some customisations to the core
WordPress files (`wp-includes/admin-bar.php`).
actually only thing changed: if ( ! current_user_can( '**read**' ) ) {
to
if ( ! current_user_can( '**manage_options' ) ) {
**
''This is never a good idea because it means you can't update to future
versions of WordPress without risking losing your changes.
''
and yes, I know this, but would have simply changed one word "read" back
to "manage_options"
''You should try to make these changes via a plugin instead. In fact, you
might find there is already a plugin available on wordpress.org/plugins
that addresses your needs.
''
the irony is that a plugin is suggested to fix problem while advising to
disable all plugins to fix problem. :-) however, I have a stripped down
site that I always use to test first, Media availability problem doesn't
exist after changing "read" to "manage_options", so if someone decides to
access directory, only thing that will be shown: Site Name and Edit
Profile options.
now the issue is a verified plugin is causing vulnerability. unless plugin
is marked as "Compatible" and verified by WP, I don't install it. and if
software isn't maintained or becomes incompatible, I remove the plugin.
it's not a big deal for me because with folder permissions, user won't be
able to see anything except 403-denied/unauthorized. but for others, who
knows what the results will be.
>
> Regarding the issue you're reporting, I've tested this with a brand new
installation of WordPress and a user with the Subscriber level role cannot
access the media library. You may have introduced some code on your site
which allows this (for example by modifying or granting the `upload_files`
user capability), or you may have a plugin or theme on your site which is
enabling this.
>
> Your best bet is to try deactivating any plugins you've installed, and
try reverting the changes you've made to WordPress core files.
again, with just core latest version of WordPress, can access wp-admin
directory manually, however, Media option isn't available so changing
"read" to "manage_options" actually isn't the problem.
what I will do in same stripped down environment: add the same plugins one
by one, which are only a few, and see which compatible-labeled plugin
exposes private information as that plugin shouldn't be marked "Compatible
with WordPress" (tested).
then keep scrolling through the compatible "hide toolbar plugins", some of
which are gawd awful interface options and riddled with "advertising
promotions".
>
> I'll close this ticket as this isn't an issue in core WordPress.
>
> John
thanks.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45070#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list