WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#41059 closed enhancement (fixed)

Prevent `do_not_allow` from being added as a capability

Reported by: peterwilsoncc Owned by: peterwilsoncc
Milestone: 4.9 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch has-dev-note
Focuses: Cc:
PR Number:

Description

In meta capabilities, WordPress uses the keyword do_not_allow to indicate a user should be blocked from performing a particular action (code ref).

WP_User, WP_Role and WP_Roles do not prevent a theme or plugin from adding do_not_allow as a capability. Adding this capability would cause unexpected behaviour so it should be blocked as a hardening measure.

Attachments (2)

41059.patch (3.0 KB) - added by johnbillion 2 years ago.
41059.2.patch (3.9 KB) - added by peterwilsoncc 2 years ago.

Download all attachments as: .zip

Change History (7)

@johnbillion
2 years ago

#1 @johnbillion
2 years ago

  • Keywords has-patch added; needs-patch removed
  • Owner set to peterwilsoncc
  • Status changed from new to reviewing

#2 @peterwilsoncc
2 years ago

  • Milestone changed from Awaiting Review to 4.9

Will aim to put this in 4.9 soonish to let it soak.

@johnbillion,

I like the original patch but I am inclined to prevent do_not_allow from making it into the DB if WP is to block it, per 41059.2.patch.

I'm in two minds as the original code is required to prevent the capability from being added via a filter. What are your thoughts?

#3 @peterwilsoncc
2 years ago

  • Keywords needs-dev-note added

Will commit with @johnbillion's initial patch 41059.patch, this is a backcompat break so will need a dev note.

#4 @peterwilsoncc
2 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 40993:

Capabilities: Prevent users having the do_not_allow capability.

Meta capabilities use the capability do_not_allow to indicate a user should be blocked from performing a particular action. This ensures users can not have the capability as it would cause unexpected behaviour.

Props johnbillion.
Fixes #41059.

#5 @jbpaul17
2 years ago

  • Keywords has-dev-note added; needs-dev-note removed
Note: See TracTickets for help on using tickets.