WordPress.org
Get WordPress

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#32985 closed enhancement (wontfix)

Grant list_users to Editor, Author and Contributor

Reported by: allendav's profile allendav Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3
Component: Role/Capability Keywords: needs-patch
Focuses: administration Cc:

Description

Right now, only Admins are given the list_users capability by default. I'd like to propose that Editors, Authors and Contributors also have list_users capability by default.

The rationale is that users with those roles would benefit from being able to browse wp-admin/users.php to be able to identify another user that could help them with a task they are unable to complete themselves (e.g. publish a post) in the event their usual contact is unavailable.

Basically this would allow lesser capability users to use things like wp-admin/users.php as a user directory. It would NOT grant user editing privilege (that's edit_users capability.)

At first glance, there could be concerns about leaking exploitable information this way, i.e. identifying administrators as a first step in an attack, but the roles I am proposing to grant list_users to do not include the default New User Default Role of Subscriber, so unless the site owner has elevated that setting, only users explicitly added could see the user list.

Ref 3.0.0 wp-admin/includes/schema.php populate_roles_300

Change History (2)

#1 @ebinnion
10 years ago

  • Keywords needs-patch added

#2 @johnbillion
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Thanks for the ticket allendav!

This opens up considerable security and privacy implications. For example, imagine a site with authors or editors who do not know each other yet all have the ability to publish content on the site. If they suddenly get given the ability to browse users, they'll be able to see (at a minimum) the email address of all other users on the site, which is a huge privacy concern. Even information such as a user's real name can be considered sensitive, and if a plugin is active on the site which adds even more information to the Users list table then this information will be visible too.

Just because a user is a trusted author or editor doesn't mean they're trusted enough to see any sort of personal information about other users.

This is definitely something that should be kept to a plugin for sites that need it. It could be as simple as this:

add_filter( 'user_has_cap', function( array $user_caps, array $required_caps, array $args ) {
	if ( 'list_users' === $args[0] && user_can( $args[1], 'edit_posts' ) ) {
		$user_caps['list_users'] = true;
	}
	return $user_caps;
}, 10, 3 );
Note: See TracTickets for help on using tickets.