Make WordPress Core

Opened 6 years ago

Closed 4 years ago

#6566 closed defect (bug) (wontfix)

custom-built roles can create administrator users

Reported by: Denis-de-Bernardy Owned by:
Milestone: Priority: normal
Severity: minor Version: 2.5
Component: Security Keywords: capabilities close
Focuses: Cc:


If you create a custom role using the role manager, and let that role edit options for any reasons (e.g. you want to set up some kind of demo site), then users with that role can open registrations, and assign administrator as the default role, then let themselves in as administrator.


	function default_role($o)
		if ( $o == 'administrator' && get_option('users_can_register') )
			global $wp_roles;
			foreach ( $wp_roles->role_names as $role => $name )
				if ( $role != 'administrator' )
					$o = $role;
					add_action('shutdown', create_function('', "update_option('default_role', '$role');"));
		return $o;
	} # default_role()

add_filter('option_default_role', 'default_role');

Change History (5)

comment:1 pishmishy6 years ago

  • Keywords capabilities added
  • Milestone 2.5.2 deleted
  • Resolution set to invalid
  • Status changed from new to closed

This is by design. The edit_options capability is intended to allow a user to edit options ;-) . See also #6014.

I've discussed these sorts of issues with the author of the role manager plugin and the conclusion seems to be that if you're not sure what each capability actually allows, you shouldn't be messing with them :-)

It may be a documentation issue but I'm reluctant to accept it as a bug so I'm going to close for now.

comment:2 Denis-de-Bernardy4 years ago

  • Milestone set to 3.0

true, but this prevents anyone from creating a proper demo site.

comment:3 Denis-de-Bernardy4 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

comment:4 dd324 years ago

  • Keywords close added

This is IMO, a wontfix.

If you wish to have a demo site, with people being able to edit options, Then you need to lock certain options down. Its nothing new, You have a user that can change security-related then they must be trusted.

Add a filter to the sanitization hook for that function, and always return the old setting. Job done.

comment:5 nacin4 years ago

  • Milestone 3.0 deleted
  • Resolution set to wontfix
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.