Fix disclosed vulnerability affecting Contributor-level users #42
Conversation
…m doing an import or export
|
@tylerdigital hello, this should be ready. |
tylerdigital
changed the title
public/includes/import-export.php
Outdated
| } | ||
|
|
||
| public function output_import_export_page() { | ||
| // only allow admins and editors | ||
| $user = wp_get_current_user(); | ||
| if( ! array_intersect( array('administrator', 'editor' ), (array) $user->roles ) ) { |
There was a problem hiding this comment.
@hsein-bitar I believe we want to bind to the capability here rather than the role. As written, only the default WP roles would work, but if you make a new custom role (using a plugin like Members) like Content Manager that has the ability to delete_others_posts, then it should still let you see this page. Another case would be if they modify the default Editor role so that it doesn't have permission to delete others' posts for some reason. For these cases, we want to test the capability rather than the role
I'd just make this function call if ( current_user_can( 'delete_others_posts' ) ) so that it tests for the actual capability we want rather than explicitly checking the role
There was a problem hiding this comment.
@tylerdigital thanks for the tip
Asana
https://app.asana.com/0/1202852195727075/1205661585628058/f
Context
Fix vulnerability in Draw Attention plugin
code changes to prevent users below admin or editor roles from doing an import or export