WordPress.org

1. CrazySerb
   Member
   Posted 5 years ago #
   

   Ok, in WP2.5.1 I've noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:

   - list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)

   - edit/delete all users (which is even more insecure, as this way they can simply "upgrade" any of the existing users to admins with no problem)

   - add new users with any roles assigned to them, even administrator role.

   so, after some digging into the code, I found that there are 2-3 functions that control the display of available roles:

   1) /wp-admin/includes/template.php (line 968), function wp_dropdown_roles

   2) /wp-includes/capabilities.php (line 15), function _init ()

   3) /wp-admin/user-edit.php (line 209)

   Now, what I would really be happy just for starters (until this gets sorted in the official code or patched somehow), is a way to remove "administrator" role from the dropdown of roles in those 3 files for all users who are not administrators.

   Anyone know how?

2. CrazySerb
   Member
   Posted 5 years ago #
   

   Ok, I've done this, as a hard core hack, which now prevents me from logging in as the administrator (which is ok, until I need to get into the admin as an administrator):

   in wp-includes/capabilities.php, after line 24 I've added this:

   $this->roles = array_splice($this->roles,1,10,$this->roles);

   and that removes the first role from the database when they're all pulled out (and first role seems to be the admin, for some reason).

   now if I could only check for something like current_user_can('level_10') in that file directly so to execute that array splicing only for non admins, that would be perfect!

Topic Closed

This topic has been closed to new replies.