Support » Fixing WordPress » Creating new users role – a security risk?

  • Ok, in WP2.5.1 I’ve noticed that when Users with roles less than an Administrator (and if allowed to Create/Edit/Delete users defined in Role Manager (plugin) are able to:

    – list all users (which is a bit insecure, as I would expect them to be able only to list users in levels up to their level, not above, like admins)

    – edit/delete all users (which is even more insecure, as this way they can simply “upgrade” any of the existing users to admins with no problem)

    – add new users with any roles assigned to them, even administrator role.

    so, after some digging into the code, I found that there are 2-3 functions that control the display of available roles:

    1) /wp-admin/includes/template.php (line 968), function wp_dropdown_roles

    2) /wp-includes/capabilities.php (line 15), function _init ()

    3) /wp-admin/user-edit.php (line 209)

    Now, what I would really be happy just for starters (until this gets sorted in the official code or patched somehow), is a way to remove “administrator” role from the dropdown of roles in those 3 files for all users who are not administrators.

    Anyone know how?

Viewing 1 replies (of 1 total)
  • Ok, I’ve done this, as a hard core hack, which now prevents me from logging in as the administrator (which is ok, until I need to get into the admin as an administrator):

    in wp-includes/capabilities.php, after line 24 I’ve added this:

    $this->roles = array_splice($this->roles,1,10,$this->roles);

    and that removes the first role from the database when they’re all pulled out (and first role seems to be the admin, for some reason).

    now if I could only check for something like current_user_can(‘level_10’) in that file directly so to execute that array splicing only for non admins, that would be perfect!

Viewing 1 replies (of 1 total)
  • The topic ‘Creating new users role – a security risk?’ is closed to new replies.