Skip to:

Opened 20 months ago

Last modified 13 months ago

#3369 assigned defect (bug)

More inconsistent capability checks when editing user roles

Reported by: johnjamesjacoby Owned by: johnjamesjacoby
Milestone: 2.7 Priority: normal
Severity: normal Version:
Component: API - Roles/Capabilities Keywords: needs-patch


There are now a few places where edit_user is still checked in one place, when promote_user is later checked in a different one.

Specifically, bbPress never maps the promote_user capability, meaning that neither Keymasters nor Moderators are able to modify user roles, even when the "Super Moderators" feature is enabled.

This has the unintended side effect of showing Keymasters and Super-Moderators role-related UI elements for Users that they are unable to save.

(Note that this is not a security issue, but rather a case of capabilities being more strict than the super-moderator feature is intended to be.)

Related to: #3126,

Change History (3)

#1 @johnjamesjacoby
20 months ago

At a cursory, I think the use of the promote_user capability should probably be limited to only blog/site roles, and not bbPress ones. bbPress role changes would use a dedicated but similar capability. This would allow for Admins to do their thing and Keymasters to do theirs, without unintentionally granting both at the same time.

Additionally, I think the Super Moderators option would benefit from additional descriptive text to provide context as to what capabilities it does and does not grant to Moderators, so that they are not accidentally made more powerful than is intended.

In theory, this setting could be expanded into a dropdown select to provide different levels of access if the ability to manage user roles is maybe not a requirement for some installations.

Version 0, edited 20 months ago by johnjamesjacoby (next)

#2 @johnjamesjacoby
18 months ago

  • Milestone changed from 2.6.5 to 2.6.6

#3 @johnjamesjacoby
13 months ago

  • Milestone changed from 2.6.6 to 2.7

Moving out of 2.6.6 to empty the milestone.

Note: See TracTickets for help on using tickets.