custom-built roles can create administrator users

[Denis-de-Bernardy]

If you create a custom role using the role manager, and let that role edit options for any reasons (e.g. you want to set up some kind of demo site), then users with that role can open registrations, and assign administrator as the default role, then let themselves in as administrator.

Fix:

	function default_role($o)
	{
		if ( $o == 'administrator' && get_option('users_can_register') )
		{
			global $wp_roles;
			
			foreach ( $wp_roles->role_names as $role => $name )
			{
				if ( $role != 'administrator' )
				{
					$o = $role;
					add_action('shutdown', create_function('', "update_option('default_role', '$role');"));
					break;
				}
			}
		}
		
		return $o;
	} # default_role()

add_filter('option_default_role', 'default_role');

This is by design. The edit_options capability is intended to allow a user to edit options ;-) . See also #6014.

I've discussed these sorts of issues with the author of the role manager plugin and the conclusion seems to be that if you're not sure what each capability actually allows, you shouldn't be messing with them :-)

It may be a documentation issue but I'm reluctant to accept it as a bug so I'm going to close for now.

true, but this prevents anyone from creating a proper demo site.

This is IMO, a wontfix.

If you wish to have a demo site, with people being able to edit options, Then you need to lock certain options down. Its nothing new, You have a user that can change security-related then they must be trusted.

Add a filter to the sanitization hook for that function, and always return the old setting. Job done.