Skip to:

Opened 5 years ago

Closed 5 years ago

#3126 closed defect (bug) (fixed)

Inconsistent capability checks when editing user role

Reported by: SergeyBiryukov Owned by: SergeyBiryukov
Milestone: 2.6 Priority: high
Severity: normal Version:
Component: Component - Users Keywords: commit


User Role section in profiles is displayed with an 'edit_user' capability check, but is saved with a 'promote_user' check.

If the current user can edit_user, but not promote_user, this causes the existing role to be removed.

There should be a consistent capability check in both places, I think promote_user fits better.

Change History (2)

#1 @johnjamesjacoby
5 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 2.6
  • Priority changed from normal to high

Totally agree. Good spot.

#2 @SergeyBiryukov
5 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 6617:

Users: Check promote_user capability instead of edit_user before displaying "User Role" section in form-user-edit.php, for consistency with bbp_profile_update_role().

Fixes #3126.

Note: See TracTickets for help on using tickets.