Ticket #6566 (closed defect: invalid)

Opened 3 months ago

Last modified 6 days ago

custom-built roles can create administrator users

Reported by: Denis-de-Bernardy Assigned to: anonymous
Priority: normal Milestone:
Component: Security Version: 2.5
Severity: minor Keywords: capabilities
Cc:

Description

If you create a custom role using the role manager, and let that role edit options for any reasons (e.g. you want to set up some kind of demo site), then users with that role can open registrations, and assign administrator as the default role, then let themselves in as administrator.

Fix: 

	function default_role($o)
	{
		if ( $o == 'administrator' && get_option('users_can_register') )
		{
			global $wp_roles;
			
			foreach ( $wp_roles->role_names as $role => $name )
			{
				if ( $role != 'administrator' )
				{
					$o = $role;
					add_action('shutdown', create_function('', "update_option('default_role', '$role');"));
					break;
				}
			}
		}
		
		return $o;
	} # default_role()

add_filter('option_default_role', 'default_role');

Change History

06/29/08 19:51:59 changed by pishmishy

  • keywords set to capabilities.
  • status changed from new to closed.
  • resolution set to invalid.
  • milestone deleted.

This is by design. The edit_options capability is intended to allow a user to edit options ;-) . See also #6014.

I've discussed these sorts of issues with the author of the role manager plugin and the conclusion seems to be that if you're not sure what each capability actually allows, you shouldn't be messing with them :-)

It may be a documentation issue but I'm reluctant to accept it as a bug so I'm going to close for now.