Opened 4 years ago
Closed 4 years ago
#52246 closed defect (bug) (invalid)
A lower user role user (editor) can assign the post author to a higher user role user (administrator)
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 5.6 |
| Component: | Users | Keywords: | |
| Focuses: | administration | Cc: |
Description
Unsure if I have maybe messed around with my user role permissions at some stage but I've just noticed when logged in as an editor I can assign a new post to an administrator. If this isn't me previously changing user role caps then is this functionality correct?
Change History (3)
Note: See
TracTickets for help on using
tickets.
Thanks for the report @ninetyninew . This is indeed expected behaviour. There is no inherent hierarchy between user roles in WordPress, even though by default it can seem that way. Both the Editor role and the Administrator role have the ability to assign any other user as the author of a post, and this is allowed regardless of the role of the user being assigned.
Similarly, Editors can edit posts, pages, attachments, and comments that are published by a Administrator. This is expected.