#20488 closed defect (bug) (fixed)
DISALLOW_UNFILTERED_HTML improperly controls file edit/modifications
Reported by: | nacin | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.4 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Role/Capability | Keywords: | has-patch 2nd-opinion |
Focuses: | Cc: |
Description
Apparently DISALLOW_UNFILTERED_HTML is not often used, as doing so also accidentally sets various other capabilities to do_not_allow: edit_, install_, update_, and delete_ plugins and themes, and update_core.
On one hand, it could be inferred that disallowing HTML also means you want to disallow access to install or modify code. I would agree. However, update_core should be excluded from this inference.
Attached is a unit test (the constant does not break any other tests, so it appears) and a patch. If we decide that only update_core should be excluded, the patch will be a bit simpler.
Attachments (2)
Change History (5)
Note: See
TracTickets for help on using
tickets.
It looks like [14244] simply expanded a case 'unfiltered_html': to have special code. Because of the fall-throughs above it, we have the behavior we have now. It certainly does not look like it was intentional to disallow code editing or plugin updating with this constant.