[wp-trac] [WordPress Trac] #43936: Settings: Warn when open registration and new user default is privileged
WordPress Trac
noreply at wordpress.org
Tue Jun 4 23:43:34 UTC 2019
#43936: Settings: Warn when open registration and new user default is privileged
--------------------------+------------------------------
Reporter: kraftbj | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version:
Severity: normal | Resolution:
Keywords: has-patch | Focuses: administration
--------------------------+------------------------------
Comment (by dd32):
#46744 was closed as a duplicate of this, which I agree with.
The main difference is that this is a warning/only allows selecting safe
values in the UI, where #46744 focuses on the malicious setting of options
to bad values through a vulnerability that allows setting of options (of
which, are common in recent years in plugins).
Preventing a user selecting a dangerous combination is needed, but it also
needs to validate that the values in the database are safe to rely upon
IMHO
As an example, filter on the default value:
{{{
function filter_default_role( $default_role ) {
// $users_can_register = ....
if ( $users_can_register && get_role( $default_role )->has_cap(
'manage_options' /* or other cap deemed useful, `publish_posts` could also
be used */ ) ) {
$default_role = 'subscriber'; // Fallback roll for when an unsafe roll
has ended up in there
}
return $default_role;
}
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43936#comment:10>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list