Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#20488 closed defect (bug) (fixed)

DISALLOW_UNFILTERED_HTML improperly controls file edit/modifications

Reported by: nacin's profile nacin Owned by: nacin's profile nacin
Milestone: 3.4 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

Apparently DISALLOW_UNFILTERED_HTML is not often used, as doing so also accidentally sets various other capabilities to do_not_allow: edit_, install_, update_, and delete_ plugins and themes, and update_core.

On one hand, it could be inferred that disallowing HTML also means you want to disallow access to install or modify code. I would agree. However, update_core should be excluded from this inference.

Attached is a unit test (the constant does not break any other tests, so it appears) and a patch. If we decide that only update_core should be excluded, the patch will be a bit simpler.

Attachments (2)

20488.diff (1.0 KB) - added by nacin 12 years ago.
test.20488.diff (881 bytes) - added by nacin 12 years ago.

Download all attachments as: .zip

Change History (5)

@nacin
12 years ago

@nacin
12 years ago

#1 @nacin
12 years ago

It looks like [14244] simply expanded a case 'unfiltered_html': to have special code. Because of the fall-throughs above it, we have the behavior we have now. It certainly does not look like it was intentional to disallow code editing or plugin updating with this constant.

#2 @nacin
12 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [20534]:

Do not block file mod/edit caps when DISALLOW_UNFILTERED_HTML is set. There are separate constants (DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS for those). fixes #20488.

Note: See TracTickets for help on using tickets.