Opened 13 years ago
Closed 13 years ago
#19684 closed defect (bug) (fixed)
Users list 'Change role to' allows for changing logged-in Admin role to Subscriber
Reported by: | raamdev | Owned by: | ryan |
---|---|---|---|
Milestone: | 3.3.1 | Priority: | normal |
Severity: | major | Version: | 3.3 |
Component: | Users | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
While it's not possible for an Administrator to change his or her own role to Subscriber from the Edit Profile page (the drop-down doesn't exist for logged-in Admins), it is possible to change your own role to Subscriber from within the Users list by using the 'Change role to...' drop-down.
This would allow an Administrator to inadvertently lock themselves out of WordPress if they forget to uncheck their account in the list when making bulk updates.
To recreate this issue, first create an additional Administrator account so you can get back in. Then from the Users list, select your current Administrator account (i.e., the one you're logged in with) and then choose 'Change role to' -> Subscriber.
You'll immediately be kicked out of the Admin panel. (Now you can login with the other Admin account and change your role back to Administrator.)
Attachments (1)
Change History (12)
#3
@
13 years ago
- Component changed from General to Users
- Keywords needs-patch added
- Severity changed from normal to major
#4
@
13 years ago
- Milestone changed from Awaiting Review to 3.3.1
I must have thought that was in an is_multisite() block. Logic fix should be simple.
Introduced in [19024] for #18164.