security and users permissions

  • cveira

    (@cveira)


    19 years, 2 months ago

    I am running WP 1.2.2 and it seem to be, at least, some inconsistency on user level treatment on diferent points of the code:

    1. On the administration side of WP one can edit his own posts and also the ownes with lower user levesl.

    2. On the other side if a logged-on user browsers the site he can see the ‘edit’ button for any post with less user level than oneself’s and also can effectively edit posts from people with the same user level.

    I did performed a patch to bring some consisten behaviour on the user interface. The change must be done on funciton edit_post_link() located on template-functions-links.php. The patch can be found at the end of this post.

    The patch is working fine at the moment. With this hack users have a *visual feeling* that they can change posts from users with lower user level and also their own.

    Unfortunately, this is not completely true and therefore not fully secure. It is still possible for any logged-on user to edit posts from users with the same user level than him/her.

    The source of this is that post.php does check user levels but not user logins when authorizing actions. This way, a change could be done by a valid user through proper bookmarking or direct URL calling.

    I decided not to perform any further code hacking on post.php until I know if this funtionality is going to be the standard behaviour on future releases of the code.

    Will this be the case? I do not want to put stones on my path of future software upgrades.

    Carlos Veira Lorenzo
    ———————————–
    DeepZone Digital Security
    http://www.deepzone.org
    ———————————–

    –[BEGIN]

    function edit_post_link($link = 'editar', $before = '—&nbsp;&nbsp;[ ', $after = ' ]') {<br />
    /* original code - cveira at dotpi.com 2005/02/03<br />
    global $user_level, $post;<br />
    */

    /* new code - cveira at dotpi.com 2005/02/03 */<br />
    global $user_level, $user_login, $post;

    get_currentuserinfo();

    if ($user_level > 0) {<br />
    $authordata = get_userdata($post->post_author);

    /* original code - cveira at dotpi.com 2005/02/03<br />
    if ($user_level < $authordata->user_level) {<br />
    return;<br />
    }<br />
    */

    /* new code - cveira at dotpi.com 2005/02/03 */<br />
    if ($user_level < $authordata->user_level) {<br />
    return;<br />
    } else {<br />
    if ($user_login <> $authordata->user_login) {<br />
    return;<br />
    }<br />
    }<br />
    } else {<br />
    return;<br />
    }

    $location = get_settings('siteurl') . "/wp-admin/post.php?action=edit&amp;post=$post->ID";<br />
    echo "$before <a>$link</a> $after";<br />
    }

    –[END]

Viewing 1 replies (of 1 total)
  • kirpi.it

    (@luigimartini)

    19 years, 2 months ago

    More generally, couldn’t the whole permissioning system be moved outside the WP core, so that, as a plugin, it can be shaped with more freedom (example: by creating groups)? Also, more than one plugin could be available in order to set different behaviours… (something like spam control, just to give an idea…)
    Luigi

Viewing 1 replies (of 1 total)
  • The topic ‘security and users permissions’ is closed to new replies.