#14578 closed defect (bug) (fixed)
Default User Role isn't checked against defined roles, causing unexpected resets to Administrator
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 3.7 | Priority: | normal |
| Severity: | major | Version: | 3.0.1 |
| Component: | Role/Capability | Keywords: | has-patch 3.2-early commit |
| Focuses: | Cc: |
Description
Take these steps:
- Activate a plugin that creates role on activation. For example, it calls "add_role( 'photo_uploader', 'Photo Uploader', array( 'read') );"
- In General Settings, set the Default User Role to this new role, 'Photo Uploader'.
- Deactivate the plugin, removing the roles: "remove_role( 'photo_uploader');"
- In General Settings, the Default User Role now displays 'Administrator'. (In the database, it still says 'photo_uploader'.)
- When creating a new user (as admin), the role dropdown-box now displays 'Administrator' as role for this new user. This new user _will_ have role 'Administrator' if an unsuspecting admin does not explicitly alter the role in the dropdown-box.
This way, an unsuspecting adminstrator might accidentally create new admins for his blog.
I have also tested this for new users registering themselves. Fortunately, they are assigned the role 'None', not 'Administrator'.
Greetings,
Ivo van der Linden
(employee of LaQuSo @ Eindhoven University of Technology)
Attachments (3)
Change History (17)
#5
@
14 years ago
We should probably reverse the results from get_editable_roles() there, so they are listed in ascending order (for the default roles).
Dion's take definitely makes sense. We could also drop a filter in the options API to verify the role's existence that way (as roles aren't always stored in the DB), or just stick an update_option call in options-general right before the role dropdown. Cheap, but effective here and elsewhere.
#6
@
14 years ago
- Keywords 3.2-early added
- Milestone changed from Awaiting Review to Future Release
- Summary changed from Security issue after plugin deactivation (by accidentally creating administrators) to Default User Role isn't checked against defined roles, causing unexpected resets to Administrator
@
14 years ago
reverse role dropdown list, add a verification filter for 'default_role', update 'default_role' when remove_role()
#9
@
12 years ago
- Keywords needs-testing removed
- Milestone changed from Future Release to 3.6
Patch refreshed against trunk excludes the PHP4 by-ref nonsense
We should probably check on remove_role() to see if it's the default role, and if so, revert back to subscriber in that case (Assuming the role exists)