Ok, in WP2.5.1 I’ve noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:
– list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)
– edit/delete all users (which is even more insecure, as this way they can simply “upgrade” any of the existing users to admins with no problem)
– add new users with any roles assigned to them, even administrator role.
so, after some digging into the code, I found that there are 2-3 functions that control the display of available roles:
1) /wp-admin/includes/template.php (line 968), function wp_dropdown_roles
2) /wp-includes/capabilities.php (line 15), function _init ()
3) /wp-admin/user-edit.php (line 209)
Now, what I would really be happy just for starters (until this gets sorted in the official code or patched somehow), is a way to remove “administrator” role from the dropdown of roles in those 3 files for all users who are not administrators.
Anyone know how?
- The topic ‘Creating new users role – a security risk?’ is closed to new replies.