WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#15002 closed defect (bug) (invalid)

unfiltered_html capability is not observed when set explicitly for role

Reported by: phlux0r Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.1
Component: Role/Capability Keywords: reporter-feedback
Focuses: Cc:

Description

When the unfiltered_html capability is explicitly set for a user role, WP does not observe it.

In wp-includes/capabilities.php around line 1021 the code is:

        case 'unfiltered_html':
                // Disallow unfiltered_html for all users, even admins and super admins.
                if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
                        $caps[] = 'do_not_allow';
                        break;
                }
                // Fall through if not DISALLOW_UNFILTERED_HTML

My fix is to change it to:

        case 'unfiltered_html':
                // Disallow unfiltered_html for all users, even admins and super admins.
                if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
                        $caps[] = 'do_not_allow';
                        break;
                } else { // FIX to observe the unfiltered_html capability assigned to role
                        $caps[] = $cap;
                        break;
                }
                // Fall through if not DISALLOW_UNFILTERED_HTML

Cheers, Robert

Change History (5)

#1 @nacin
10 years ago

You're missing an important section of the code that follows. There is no break; there. The comment specifically says it falls through:

	case 'unfiltered_html':
		// Disallow unfiltered_html for all users, even admins and super admins.
		if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
			$caps[] = 'do_not_allow';
			break;
		}
		// Fall through if not DISALLOW_UNFILTERED_HTML
	case 'delete_user':
	case 'delete_users':
		// If multisite these caps are allowed only for super admins.
		if ( is_multisite() && !is_super_admin() )
			$caps[] = 'do_not_allow';
		else
			$caps[] = $cap;
		break;

That might as well read this:

	case 'unfiltered_html':
		// Disallow unfiltered_html for all users, even admins and super admins.
		if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
			$caps[] = 'do_not_allow';
			break;
		}
		// If multisite these caps are allowed only for super admins.
		if ( is_multisite() && !is_super_admin() )
			$caps[] = 'do_not_allow';
		else
			$caps[] = $cap;
		break;

I'm thinking you have something else going on which is why this isn't working for you.

#2 @nacin
10 years ago

  • Keywords reporter-feedback added; capability roles unfiltered_html removed

#3 follow-up: @lybica
10 years ago

  • Cc lybica added

Hi, I came across with the same issue recently.

I believe it is incorrect to fall through to the next case block here;
currently for any multisite installation (if is_multisite() returns true),
non-super-admin can never have the 'unfiltered_html' capability (pushed to $cap).

or is there a reason behind this?

#4 in reply to: ↑ 3 ; follow-up: @nacin
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Replying to lybica:

currently for any multisite installation (if is_multisite() returns true),
non-super-admin can never have the 'unfiltered_html' capability (pushed to $cap).

Correct. Only super admins are trusted with unfiltered_html in multisite.

#5 in reply to: ↑ 4 @lybica
10 years ago

Replying to nacin:

Correct. Only super admins are trusted with unfiltered_html in multisite.

Thanks for the clarification.

@phlux0r, since this is a feature,
I ended up writing a plugin that removes the html filtering altogether by

remove_action('init', 'kses_init');
remove_action('set_current_user', 'kses_init');

for "trusted users".

Note: See TracTickets for help on using tickets.