#6662 closed defect (bug) (fixed)
Users without capability "create_users" can add new users
Reported by: | imwebgefunden | Owned by: | |
---|---|---|---|
Milestone: | 2.5.1 | Priority: | high |
Severity: | critical | Version: | 2.5 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
If a user has the capability "edit_users" and not the capability "create_users" he can add new users.
The defect is in admin-ajax.php. The check is against "edit_users" and not "create_users". I've attached a patch to fix this issue.
A second one - more an AddOn and not an defect: We should show the add user form only if the current user has the capability to add a new user. If the current user has the capability "create_users" the form will be shown. The second patch I attached make this job.
Attachments (2)
Note: See
TracTickets for help on using
tickets.
Patch for admin-ajax.php to check against "create_users"