Opened 5 years ago
Last modified 4 years ago
#3369 assigned defect (bug)
More inconsistent capability checks when editing user roles
Reported by: | johnjamesjacoby | Owned by: | johnjamesjacoby |
---|---|---|---|
Milestone: | 2.7 | Priority: | normal |
Severity: | normal | Version: | |
Component: | API - Roles/Capabilities | Keywords: | needs-patch |
Cc: |
Description
There are now a few places where edit_user
is still checked in one place, when promote_user
is later checked in a different one.
Specifically, bbPress never maps the promote_user
capability, meaning that neither Keymasters nor Moderators are able to modify user roles, even when the "Super Moderators" feature is enabled.
This has the unintended side effect of showing Keymasters and Super-Moderators role-related UI elements for Users that they are unable to save.
(Note that this is not a security issue, but rather a case of capabilities being more strict than the super-moderator feature is intended to be.)
Related to: #3126, https://meta.trac.wordpress.org/ticket/1985.
At a cursory, I think the use of the
promote_user
capability should probably be limited to only blog/site roles, and not bbPress ones. bbPress role changes would use a dedicated but similar capability. This would allow for Admins to do their thing and Keymasters to do theirs, without unintentionally granting both at the same time.Additionally, I think the Super Moderators option would benefit from additional descriptive text to provide context as to what capabilities it does and does not grant to Moderators, so that they are not accidentally made more powerful than is intended.
In theory, this setting could be expanded into a dropdown select to provide different levels of access if the ability to manage user roles is maybe not a requirement for some installations.
For context to this issue, the idea with Super Moderators was to allow Moderators the ability to help users with their forum access, including possibly marking them as spammers or giving them the Blocked user role. Today, this requires
promote_user
which also enables Blog/Site role changes, which are not currently mapped, taking their ability to Block users away.