WordPress.org

Ready to get started?Download WordPress

Forums

User Switching
[resolved] Security (4 posts)

  1. Gabriel Reguly
    Member
    Posted 2 years ago #

    Hi,

    This was reported as fixed, but the flaw still exists.

    An administrator can become a super-administrator in multisite.

    Regards,
    Gabriel

    http://wordpress.org/extend/plugins/user-switching/

  2. Gabriel Reguly
    Member
    Posted 2 years ago #

    Hi again,

    I have done a fix for the issue, in function map_meta_cap(..)

    replace

    if ( ( 'switch_to_user' == $cap ) and ( $args[0] == $user_id ) )

    with

    if ( ( 'switch_to_user' == $cap ) and ( ( $args[0] == $user_id ) or ( is_super_admin( $args[0] ) ) ) )

    Regards,
    Gabriel

  3. John Blackbourn
    Member
    Plugin Author

    Posted 2 years ago #

    Hi Gabriel,

    Thanks for the feedback. I cannot reproduce this problem.

    The 'do_not_allow' capability in map_meta_cap() only affects super-admins and simply prevents them from switching to themselves. Your fix will prevent super admins switching to other super admins.

    The user_cap_filter() function grants the 'switch_to_user' capability to users only if they can edit the user they're trying to switch to (and if it's not themselves). Site admins cannot edit super admins, so therefore they're not granted the 'switch_to_user' capability for super admins.

    Are you running a plugin which might be affecting user roles or capabilities?

  4. Gabriel Reguly
    Member
    Posted 2 years ago #

    Hi John,

    As a matter of fact, I am running some code that is causing the issue.

    I'll have a look at it to make a fix at the correct place.

    Thanks for your support.

    Regards,
    Gabriel

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic