Hi,
You are right. It is the real security hole. I will investigate the subject and return with the solution.
Thanks for the help.
Regards,
Vladimir.
I fixed this issue as for
user-edit.php?user_id=
as for
user.php?action=delete&user=
requests in URE version 2.0.1
Thanks again.
Please check and share with your test results.
Thread Starter
Sahar
(@saharusa)
I confirm, not possible to edit admin by changing id at the url anymore.
Thanks a lot.
I tried switching off edit_others_pages and delete_others_pages for the Editor role, then went to Pages and found that the Trash option and Empty Trash in the Trash bin were available and worked for an Editor for pages created by Admin.
I’m on 2.9.2.
Thanks
Excuse me for so late reply. I counted this topic as closed and did not look into it long time.
1st, I tried to repeat your actions and have not ‘Edit’ option at the pages list for admin created pages – just ‘View’ one. So I have not any Trash links for modified this way Editor role.
2nd, If some problem exists in this case, I’m not sure that it is the URE plugin problem.
Thread Starter
Sahar
(@saharusa)
Latest version brings back this old problem, Editor got Administrator power now.
Ups! Thank you.
I will check and return with update ASAP.
Please try this version
http://www.shinephp.com/wp-content/downloads/wordpress/plugins/user-role-editor-2.2.3.zip
Only user with Administrator role and superadmin user multi-site environment have access to the User Role Editor Settings page now.
I need to update code yet in order sub-blog admin under multi-site can use URE too for its own sub-blog. I plan to make it tomorrow.
There is a hole if user has ‘delete_users’ and plugin management capabilities as WP consider him administrator then and gives access to the Plugins menu, where user can deactivate URE or just upload any PHP code as WP plugin… It is more a question of the trust and accuracy when giving critical rights to someone.
Thread Starter
Sahar
(@saharusa)
Thank you Vladimir,
Things are back to normal now.