-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix disclosed vulnerability affecting Contributor-level users #42
Conversation
…m doing an import or export
@tylerdigital hello, this should be ready. |
public/includes/import-export.php
Outdated
} | ||
|
||
public function output_import_export_page() { | ||
// only allow admins and editors | ||
$user = wp_get_current_user(); | ||
if( ! array_intersect( array('administrator', 'editor' ), (array) $user->roles ) ) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hsein-bitar I believe we want to bind to the capability
here rather than the role
. As written, only the default WP roles would work, but if you make a new custom role (using a plugin like Members) like Content Manager
that has the ability to delete_others_posts
, then it should still let you see this page. Another case would be if they modify the default Editor role so that it doesn't have permission to delete others' posts for some reason. For these cases, we want to test the capability rather than the role
I'd just make this function call if ( current_user_can( 'delete_others_posts' ) )
so that it tests for the actual capability we want rather than explicitly checking the role
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tylerdigital thanks for the tip
Asana
https://app.asana.com/0/1202852195727075/1205661585628058/f
Context
Fix vulnerability in Draw Attention plugin
code changes to prevent users below admin or editor roles from doing an import or export