#1735 closed defect (bug) (fixed)
New users when registered get admin privileges by default!
Reported by: | greyman | Owned by: | |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | major | Version: | 1.6 |
Component: | Security | Keywords: | role capabilities |
Focuses: | Cc: |
Description
New users when registered get admin privileges by default.
So if you want all commenters to be registered users, right now they can register and get admin privileges within minutes to your blog.
There is no way to select in the admin menu that all new users when registered will be a subscriber, editor, author, admin etc they are just automatically given admin privileges.
You have to manually change the newly created user to subscriber etc in the admin section.
This is a major security issue!
Change History (5)
#2
@
19 years ago
it's there, but why is it set to admin by default, the list should be the other way around. I would edit it myself but i dont know what file has the dropdown menu. I thought it was in vars.php or capabilities.php but i can't seem to find it.
Note: See
TracTickets for help on using
tickets.
In Options->General verify that "New User Default Role:" is set to Subscriber instead of Administrator.
Run upgrade.php to make sure you have all of the latest role updates.