Opened 8 years ago
Closed 7 years ago
#40230 closed defect (bug) (fixed)
Is it intended to return 500 for this message: You can't give users that role. or Sorry, you are not allowed to give users that role.
Reported by: | tuanmh | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Users | Keywords: | has-patch needs-testing |
Focuses: | administration | Cc: |
Description
Hey there,
We've performed some hacking tests on our system, basically it tries to change role of an user to higher level (e.g. editor to administrator) by using a non-authorised user. We got the message:
"You can’t give users that role." in 4.6.x or "Sorry, you are not allowed to give users that role." in 4.7 as expected but the HTTP status returned is 500.
Should we return 403 instead of 500? Is it intended?
It has caused false alerts on our system as every time we perform the tests, we got alerts through email - which could easily cause oversights to actual 500 errors.
This should be an easy fix:
- wp-admin/includes/user.php line 62
- wp-admin/users.php line 113
- wp-admin/network/site-users.php line line 143
There are other permission's related messages which should return 403 as well.
Attachments (1)
Change History (11)
#1
@
8 years ago
- Component changed from General to Users
- Focuses administration added
- Keywords needs-patch good-first-bug added
- Version 4.6.4 deleted
#5
@
8 years ago
- Keywords needs-testing added; good-first-bug removed
- Milestone changed from Awaiting Review to 4.8
- Owner set to johnbillion
- Status changed from new to reviewing
- Version trunk deleted
Thanks @tuanmh! I'll review it shortly.
(P.S. The Version
field in Trac is used to indicate the first version that was affected by the issue. As it's a broad issue and there's no specific first version, we simply remove the value.)
Thanks for the ticket @tuanmh. Yes, these responses should provide an HTTP status code of 403 instead of 500.
If you can make a patch for these changes that would be great!