#41059 closed enhancement (fixed)
Prevent `do_not_allow` from being added as a capability
Reported by: | peterwilsoncc | Owned by: | peterwilsoncc |
---|---|---|---|
Milestone: | 4.9 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Role/Capability | Keywords: | has-patch has-dev-note |
Focuses: | Cc: |
Description
In meta capabilities, WordPress uses the keyword do_not_allow
to indicate a user should be blocked from performing a particular action (code ref).
WP_User
, WP_Role
and WP_Roles
do not prevent a theme or plugin from adding do_not_allow
as a capability. Adding this capability would cause unexpected behaviour so it should be blocked as a hardening measure.
Attachments (2)
Change History (7)
#1
@
7 years ago
- Keywords has-patch added; needs-patch removed
- Owner set to peterwilsoncc
- Status changed from new to reviewing
#3
@
7 years ago
- Keywords needs-dev-note added
Will commit with @johnbillion's initial patch 41059.patch, this is a backcompat break so will need a dev note.
#5
@
7 years ago
- Keywords has-dev-note added; needs-dev-note removed
This is included in the https://make.wordpress.org/core/2017/10/15/improvements-for-roles-and-capabilities-in-4-9/ dev note. Thanks @flixos90!
Note: See
TracTickets for help on using
tickets.
Will aim to put this in 4.9 soonish to let it soak.
@johnbillion,
I like the original patch but I am inclined to prevent
do_not_allow
from making it into the DB if WP is to block it, per 41059.2.patch.I'm in two minds as the original code is required to prevent the capability from being added via a filter. What are your thoughts?