Ticket #6662 (closed defect (bug): fixed)

Opened 4 years ago

Last modified 4 years ago

Users without capability "create_users" can add new users

Reported by: imwebgefunden Owned by: anonymous
Priority: high Milestone: 2.5.1
Component: Security Version: 2.5
Severity: critical Keywords:
Cc:

Description

If a user has the capability "edit_users" and not the capability "create_users" he can add new users. The defect is in admin-ajax.php. The check is against "edit_users" and not "create_users". I've attached a patch to fix this issue. A second one - more an AddOn and not an defect: We should show the add user form only if the current user has the capability to add a new user. If the current user has the capability "create_users" the form will be shown. The second patch I attached make this job.

Attachments

ajax_create_users.diff Download (381 bytes) - added by imwebgefunden 4 years ago.
Patch for admin-ajax.php to check against "create_users"
hide_create_user_form.diff Download (365 bytes) - added by imwebgefunden 4 years ago.
Show "Add User" Form only if the current user can create new users

Change History

imwebgefunden4 years ago

Patch for admin-ajax.php to check against "create_users"

imwebgefunden4 years ago

Show "Add User" Form only if the current user can create new users

comment:1   imwebgefunden4 years ago

  • Severity changed from normal to critical

comment:2   ryan4 years ago

  • Status changed from new to closed
  • Resolution set to fixed

(In [7659]) Check create_users cap instead of edit_users wgen adding/inserting users. Props imwebgefunden. fixes #6662 for 2.5

comment:3   ryan4 years ago

(In [7660]) Check create_users cap instead of edit_users wgen adding/inserting users. Props imwebgefunden. fixes #6662 for trunk

Note: See TracTickets for help on using tickets.