Skip to:

Opened 4 years ago

Last modified 4 years ago

#3369 assigned defect (bug)

More inconsistent capability checks when editing user roles

Reported by: johnjamesjacoby's profile johnjamesjacoby Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: 2.7 Priority: normal
Severity: normal Version:
Component: API - Roles/Capabilities Keywords: needs-patch


There are now a few places where edit_user is still checked in one place, when promote_user is later checked in a different one.

Specifically, bbPress never maps the promote_user capability, meaning that neither Keymasters nor Moderators are able to modify user roles, even when the "Super Moderators" feature is enabled.

This has the unintended side effect of showing Keymasters and Super-Moderators role-related UI elements for Users that they are unable to save.

(Note that this is not a security issue, but rather a case of capabilities being more strict than the super-moderator feature is intended to be.)

Related to: #3126,

Change History (3)

#1 @johnjamesjacoby
4 years ago

At a cursory, I think the use of the promote_user capability should probably be limited to only blog/site roles, and not bbPress ones. bbPress role changes would use a dedicated but similar capability. This would allow for Admins to do their thing and Keymasters to do theirs, without unintentionally granting both at the same time.

Additionally, I think the Super Moderators option would benefit from additional descriptive text to provide context as to what capabilities it does and does not grant to Moderators, so that they are not accidentally made more powerful than is intended.

In theory, this setting could be expanded into a dropdown select to provide different levels of access if the ability to manage user roles is maybe not a requirement for some installations.

For context to this issue, the idea with Super Moderators was to allow Moderators the ability to help users with their forum access, including possibly marking them as spammers or giving them the Blocked user role. Today, this requires promote_user which also enables Blog/Site role changes, which are not currently mapped, taking their ability to Block users away.

Last edited 4 years ago by johnjamesjacoby (previous) (diff)

#2 @johnjamesjacoby
4 years ago

  • Milestone changed from 2.6.5 to 2.6.6

#3 @johnjamesjacoby
4 years ago

  • Milestone changed from 2.6.6 to 2.7

Moving out of 2.6.6 to empty the milestone.

Note: See TracTickets for help on using tickets.