WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#20488 closed defect (bug) (fixed)

DISALLOW_UNFILTERED_HTML improperly controls file edit/modifications

Reported by: nacin Owned by: nacin
Milestone: 3.4 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch 2nd-opinion
Focuses: Cc:

Description

Apparently DISALLOW_UNFILTERED_HTML is not often used, as doing so also accidentally sets various other capabilities to do_not_allow: edit_, install_, update_, and delete_ plugins and themes, and update_core.

On one hand, it could be inferred that disallowing HTML also means you want to disallow access to install or modify code. I would agree. However, update_core should be excluded from this inference.

Attached is a unit test (the constant does not break any other tests, so it appears) and a patch. If we decide that only update_core should be excluded, the patch will be a bit simpler.

Attachments (2)

20488.diff (1.0 KB) - added by nacin 2 years ago.
test.20488.diff (881 bytes) - added by nacin 2 years ago.

Download all attachments as: .zip

Change History (5)

nacin2 years ago

nacin2 years ago

comment:1 nacin2 years ago

It looks like [14244] simply expanded a case 'unfiltered_html': to have special code. Because of the fall-throughs above it, we have the behavior we have now. It certainly does not look like it was intentional to disallow code editing or plugin updating with this constant.

comment:2 nacin2 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [20534]:

Do not block file mod/edit caps when DISALLOW_UNFILTERED_HTML is set. There are separate constants (DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS for those). fixes #20488.

Note: See TracTickets for help on using tickets.