Opened 17 years ago
Closed 17 years ago
#6908 closed defect (bug) (duplicate)
Creating new users role - a security risk?
Reported by: | CrazySerb | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 2.5.1 |
Component: | Security | Keywords: | user roles, group levels |
Focuses: | Cc: |
Description
Ok, I've noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:
- list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)
- edit/delete all users (which is even more insecure, as this way they can simply "upgrade" any of the existing users to admins with no problem)
- add new users with any roles assigned to them, even administrator role.
Could that be fixed, so that users in group with a level of 7 can't see any of the other groups above level 7, and can't create new/edit existing users and assign them any role higher than 7, for example?
Otherwise, this is a major security risk for anyone allowing any users in groups less than administrator to administer other users.
Change History (3)
#1
follow-up:
↓ 2
@
17 years ago
- Milestone set to 2.7
- Priority changed from highest omg bbq to normal
- Severity changed from major to normal
#2
in reply to:
↑ 1
@
17 years ago
Replying to Otto42:
Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?
This was discussed on another ticket/mailing list, i cant remember where.
The idea which was suggested that made most sense to me was that users should not be able to create a user with a capability they themselves do not have, so if they do not have the manage_options capability, they should not be able to create a user who would have the manage_options cap. And a similar route for editing users.
#3
@
17 years ago
- Milestone 2.7 deleted
- Resolution set to duplicate
- Status changed from new to closed
It was discussed in #6014, which is identical in principal to this ticket.
To repeat myself, we shouldn't be imposing any ordering on roles:
- An order would be equivalent to the user level numbers (albeit with different labels). We moved away from this.
- We'd never agree on a default ordering (we leave such things to plugins if desired by the user).
Problems arise because people aren't informed of the true extent of 'edit_users' capability. I suggested that the authors of plugins who allow users to mess with capabilities should make it very clear to their users. I still don't believe it's a WordPress issue (although we could look at improving our documentation), but I'll hold off closing the other ticket for risk of upsetting too many people :-)
Allowing users to edit users higher than themselves does indeed not make much sense, however the user level number idea is deprecated/not used anymore. Perhaps some way to define an order on the Roles, thus allowing it to determine which roles are above other roles?