[Plugin: User Switching] Hole security ? | WordPress.org

Resolved mcarballo
(@mcarballo)

13 years, 7 months ago

Firstly thank you for your plugin!
I tested it and it allows me to solve a problem after I upgraded to WPMU 2.9.2 to WP 3.0.1 (Mulitisite) : provide an opportunity for a blog admin to edit the user profile of other users of the blog.
Your plugin gives me this opportunity and even more …

However, it also something that seems to me dangerous : allow an admin to switch to the profile of a superadmin if he is declared User Blog!

Is this normal and wanted? And would you have a solution to prevent it?

Thank you in advance for your reply

http://wordpress.org/extend/plugins/user-switching/

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Author John Blackbourn
(@johnbillion)

WordPress Core Developer

13 years, 7 months ago

Thanks mcarbello, this is something I haven’t considered with the new multisite functionality in WP3.0. I’ll look into a fix in the next couple of days.

Thread Starter mcarballo
(@mcarballo)

13 years, 7 months ago

Thanks you !
I’m waiting for your fix…

Thread Starter mcarballo
(@mcarballo)

13 years, 6 months ago

What about your fix ?

May be this post can help you :

If you use it, replace the “edit-themes” capability by this one : “manage_options”

See this post for more information :

http://wordpress.org/support/topic/capability-manage_options-vs-edit_themes?replies=5

What do you think about this ?

Thread Starter mcarballo
(@mcarballo)

13 years, 5 months ago

No news ?

Plugin Author John Blackbourn
(@johnbillion)

WordPress Core Developer

13 years, 4 months ago

Hey mcarbello, I’ve just updated the plugin (to 0.3.1) to fix this issue.

John

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘[Plugin: User Switching] Hole security ?’ is closed to new replies.

In: Plugins
5 replies
2 participants
Last reply from: John Blackbourn
Last activity: 13 years, 4 months ago
Status: resolved