Make WordPress Core

Opened 19 years ago

Closed 19 years ago

Last modified 18 years ago

#1735 closed defect (bug) (fixed)

New users when registered get admin privileges by default!

Reported by: greyman's profile greyman Owned by:
Milestone: Priority: high
Severity: major Version: 1.6
Component: Security Keywords: role capabilities
Focuses: Cc:

Description

New users when registered get admin privileges by default.

So if you want all commenters to be registered users, right now they can register and get admin privileges within minutes to your blog.

There is no way to select in the admin menu that all new users when registered will be a subscriber, editor, author, admin etc they are just automatically given admin privileges.

You have to manually change the newly created user to subscriber etc in the admin section.

This is a major security issue!

Change History (5)

#1 @ryan
19 years ago

In Options->General verify that "New User Default Role:" is set to Subscriber instead of Administrator.

Run upgrade.php to make sure you have all of the latest role updates.

#2 @darkfate
19 years ago

it's there, but why is it set to admin by default, the list should be the other way around. I would edit it myself but i dont know what file has the dropdown menu. I thought it was in vars.php or capabilities.php but i can't seem to find it.

#3 @MichaelH
19 years ago

  • Keywords role capabilities added

Isn't this resolved by 1823?

#4 @ryan
19 years ago

  • Milestone set to 2.0
  • Resolution set to fixed
  • Status changed from new to closed

"New User Default Role:" in general options defaults to "Subscriber".

#5 @(none)
18 years ago

  • Milestone 2.0 deleted

Milestone 2.0 deleted

Note: See TracTickets for help on using tickets.