WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 4 years ago

Last modified 4 years ago

#14578 closed defect (bug) (fixed)

Default User Role isn't checked against defined roles, causing unexpected resets to Administrator

Reported by: Ivolution Owned by: garyc40
Milestone: 3.7 Priority: normal
Severity: major Version: 3.0.1
Component: Role/Capability Keywords: has-patch 3.2-early commit
Focuses: Cc:

Description

Take these steps:

  1. Activate a plugin that creates role on activation. For example, it calls "add_role( 'photo_uploader', 'Photo Uploader', array( 'read') );"
  2. In General Settings, set the Default User Role to this new role, 'Photo Uploader'.
  3. Deactivate the plugin, removing the roles: "remove_role( 'photo_uploader');"
  4. In General Settings, the Default User Role now displays 'Administrator'. (In the database, it still says 'photo_uploader'.)
  5. When creating a new user (as admin), the role dropdown-box now displays 'Administrator' as role for this new user. This new user _will_ have role 'Administrator' if an unsuspecting admin does not explicitly alter the role in the dropdown-box.

This way, an unsuspecting adminstrator might accidentally create new admins for his blog.

I have also tested this for new users registering themselves. Fortunately, they are assigned the role 'None', not 'Administrator'.

Greetings,

Ivo van der Linden
(employee of LaQuSo @ Eindhoven University of Technology)

Attachments (3)

garyc40.14578.diff (4.0 KB) - added by garyc40 7 years ago.
reverse role dropdown list, add a verification filter for 'default_role', update 'default_role' when remove_role()
14578.diff (2.9 KB) - added by wonderboymusic 5 years ago.
14578.2.diff (2.9 KB) - added by wonderboymusic 4 years ago.

Download all attachments as: .zip

Change History (17)

#1 @scribu
7 years ago

  • Component changed from General to Role/Capability

#2 @Denis-de-Bernardy
7 years ago

  • Cc Denis-de-Bernardy added

#3 @dd32
7 years ago

We should probably check on remove_role() to see if it's the default role, and if so, revert back to subscriber in that case (Assuming the role exists)

#4 @dd32
7 years ago

  • Keywords needs-patch added; plugin administrator security removed

#5 @nacin
7 years ago

We should probably reverse the results from get_editable_roles() there, so they are listed in ascending order (for the default roles).

Dion's take definitely makes sense. We could also drop a filter in the options API to verify the role's existence that way (as roles aren't always stored in the DB), or just stick an update_option call in options-general right before the role dropdown. Cheap, but effective here and elsewhere.

#6 @nacin
7 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release
  • Summary changed from Security issue after plugin deactivation (by accidentally creating administrators) to Default User Role isn't checked against defined roles, causing unexpected resets to Administrator

#7 @garyc40
7 years ago

  • Owner set to garyc40
  • Status changed from new to assigned

@garyc40
7 years ago

reverse role dropdown list, add a verification filter for 'default_role', update 'default_role' when remove_role()

#8 @garyc40
7 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

@wonderboymusic
5 years ago

#9 @wonderboymusic
5 years ago

  • Keywords needs-testing removed
  • Milestone changed from Future Release to 3.6

Patch refreshed against trunk excludes the PHP4 by-ref nonsense

#10 @ryan
5 years ago

  • Milestone changed from 3.6 to Future Release

#11 @wonderboymusic
4 years ago

  • Milestone changed from Future Release to 3.7

14578.2.diff is fuzz-less

#12 @nacin
4 years ago

  • Keywords commit added

Hmm, looking at it again, this might be better on save? Agree with the rest, though.

#13 @nacin
4 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 25695:

Reverse the order of roles in wp_dropdown_roles(). Reset to 'subscriber' when the default role is removed and when a save is invalid.

props garyc40, wonderboymusic.
fixes #14578.

#14 @nofearinc
4 years ago

#15636 was marked as a duplicate.

Note: See TracTickets for help on using tickets.