[Plugin: User Switching] Security

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter Gabriel Reguly

    (@gabriel-reguly)

    Hi again,

    I have done a fix for the issue, in function map_meta_cap(..)

    replace

    if ( ( 'switch_to_user' == $cap ) and ( $args[0] == $user_id ) )

    with

    if ( ( 'switch_to_user' == $cap ) and ( ( $args[0] == $user_id ) or ( is_super_admin( $args[0] ) ) ) )

    Regards,
    Gabriel

    Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    Hi Gabriel,

    Thanks for the feedback. I cannot reproduce this problem.

    The ‘do_not_allow’ capability in map_meta_cap() only affects super-admins and simply prevents them from switching to themselves. Your fix will prevent super admins switching to other super admins.

    The user_cap_filter() function grants the ‘switch_to_user’ capability to users only if they can edit the user they’re trying to switch to (and if it’s not themselves). Site admins cannot edit super admins, so therefore they’re not granted the ‘switch_to_user’ capability for super admins.

    Are you running a plugin which might be affecting user roles or capabilities?

    Thread Starter Gabriel Reguly

    (@gabriel-reguly)

    Hi John,

    As a matter of fact, I am running some code that is causing the issue.

    I’ll have a look at it to make a fix at the correct place.

    Thanks for your support.

    Regards,
    Gabriel

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘[Plugin: User Switching] Security’ is closed to new replies.