User Role Editor - Version 2.0.1

Version Description

  • 04.04.2010
  • It is the critical update - security issue is fixed. Thanks to Saharuza for discover and telling me about it. User with 'edit_users' permission could still use URL request with special parameters to remove Administrator role from Admin user or delete Admin user record. Check this thread for more details.
Download this release

Release Info

Developer shinephp
Plugin Icon 128x128 User Role Editor
Version 2.0.1
Comparing to
See all releases

Code changes from version 2.0 to 2.0.1

Files changed (3) hide show
  1. readme.txt +7 -2
  2. ure-lib.php +27 -1
  3. user-role-editor.php +50 -6
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: http://www.shinephp.com/donate/
4
  Tags: user, role, editor, security, access, permission, capability
5
  Requires at least: 2.8.
6
  Tested up to: 3.0
7
- Stable tag: 2.0
8
 
9
  User Role Editor WordPress plugin makes the role capabilities changing easy. You can change any standard WordPress user role (except administrator) with a few clicks.
10
 
@@ -54,12 +54,17 @@ For version 2.0 I used online translators for some phrases in German, French and
54
  You are welcome! Help me with plugin translation, share with me new ideas about it further development and link to your site will appear here.
55
 
56
  == Changelog ==
 
 
 
 
 
57
  = 2.0 =
58
  * 04.04.2010
59
  * Create New Role feature was added
60
  * Delete self-made not used role feature was added. You can not delete any WordPress standard role.
61
  * Change default role for new user feature was added
62
- * Administator role and users with Administrator role permision were hidden from "Users" and "Edit User" page. This is done in case of delegation of add_user, edit_user or delete_user capabilities to some role.
63
 
64
  = 1.2 =
65
  * 28.03.2010
4
  Tags: user, role, editor, security, access, permission, capability
5
  Requires at least: 2.8.
6
  Tested up to: 3.0
7
+ Stable tag: 2.0.1
8
 
9
  User Role Editor WordPress plugin makes the role capabilities changing easy. You can change any standard WordPress user role (except administrator) with a few clicks.
10
 
54
  You are welcome! Help me with plugin translation, share with me new ideas about it further development and link to your site will appear here.
55
 
56
  == Changelog ==
57
+ = 2.0.1 =
58
+ * 04.04.2010
59
+ * It is the critical update - security issue is fixed. Thanks to [Saharuza](http://wordpress.org/support/profile/2855662) for discover and telling me about it.
60
+ User with 'edit_users' permission could still use URL request with special parameters to remove Administrator role from Admin user or delete Admin user record. Check [this thread](http://wordpress.org/support/topic/383935) for more details.
61
+
62
  = 2.0 =
63
  * 04.04.2010
64
  * Create New Role feature was added
65
  * Delete self-made not used role feature was added. You can not delete any WordPress standard role.
66
  * Change default role for new user feature was added
67
+ * Administator role and users with Administrator role permission were hidden from "Users" and "Edit User" page. This is done in case of delegation of add_user, edit_user or delete_user capabilities to some role.
68
 
69
  = 1.2 =
70
  * 28.03.2010
ure-lib.php CHANGED
@@ -33,7 +33,8 @@ define('URE_ERROR', 'Error is encountered');
33
  global $wpdb, $ure_OptionsTable;
34
 
35
  $ure_OptionsTable = $wpdb->prefix .'options';
36
-
 
37
 
38
  function ure_logEvent($message, $showMessage = false) {
39
  include(ABSPATH .'wp-includes/version.php');
@@ -308,4 +309,29 @@ function ure_changeDefaultRole() {
308
  // end of ure_changeDefaultRole()
309
 
310
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
311
  ?>
33
  global $wpdb, $ure_OptionsTable;
34
 
35
  $ure_OptionsTable = $wpdb->prefix .'options';
36
+ // this array will be used to cash users checked for Administrator role
37
+ $ure_userToEdit = array();
38
 
39
  function ure_logEvent($message, $showMessage = false) {
40
  include(ABSPATH .'wp-includes/version.php');
309
  // end of ure_changeDefaultRole()
310
 
311
 
312
+ // returns true is user has Role "Administrator"
313
+ function ure_is_admin($user_id) {
314
+ global $wpdb, $ure_userToEdit;
315
+
316
+ if (!isset($user_id) || !$user_id) {
317
+ return false;
318
+ }
319
+
320
+ $tableName = $wpdb->prefix.'usermeta';
321
+ $metaKey = $wpdb->prefix.'capabilities';
322
+ $query = "SELECT count(*)
323
+ FROM $tableName
324
+ WHERE user_id=$user_id AND meta_key='$metaKey' AND meta_value like '%administrator%'";
325
+ $hasAdminRole = $wpdb->get_var($query);
326
+ if ($hasAdminRole>0) {
327
+ $result = true;
328
+ } else {
329
+ $result = false;
330
+ }
331
+ $ure_userToEdit[$user_id] = $result;
332
+
333
+ return $result;
334
+ }
335
+ // end of ure_is_admin()
336
+
337
  ?>
user-role-editor.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: User Role Editor
4
  Plugin URI: http://www.shinephp.com/user-role-editor-wordpress-plugin/
5
  Description: It allows you to change any standard WordPress user roles (except administrator) capabilities list with a few clicks.
6
- Version: 2.0
7
  Author: Vladimir Garagulya
8
  Author URI: http://www.shinephp.com
9
  Text Domain: ure
@@ -81,7 +81,7 @@ function ure_install() {
81
 
82
  function ure_excludeAdminRole($roles) {
83
 
84
- if ( isset( $roles['administrator'] ) && !current_user_can('level_10') ){
85
  unset( $roles['administrator'] );
86
  }
87
 
@@ -93,7 +93,7 @@ function ure_excludeAdminRole($roles) {
93
 
94
  function ure_admin_jquery(){
95
  global $pagenow;
96
- if ( 'users.php' == $pagenow ){
97
  wp_enqueue_script('jquery');
98
  }
99
  }
@@ -134,21 +134,65 @@ function ure_admin_user_hide(){
134
  // end of ure_admin_user_hide()
135
 
136
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
137
  function ure_init() {
138
 
 
 
139
  if(function_exists('register_setting')) {
140
  register_setting('ure-options', 'ure_option');
141
  }
142
- // Exclude administrator role from edit list.
143
- add_filter('editable_roles', 'ure_excludeAdminRole');
144
  if (!current_user_can('level_10')) {
 
 
145
  // Enqueue jQuery
146
  add_action('admin_enqueue_scripts' , 'ure_admin_jquery' );
147
  // Hide Administrator from list of users
148
  add_action('admin_head' , 'ure_admin_user_hide');
 
 
149
  }
150
 
151
-
152
  }
153
  // end of ure_init()
154
 
3
  Plugin Name: User Role Editor
4
  Plugin URI: http://www.shinephp.com/user-role-editor-wordpress-plugin/
5
  Description: It allows you to change any standard WordPress user roles (except administrator) capabilities list with a few clicks.
6
+ Version: 2.0.1
7
  Author: Vladimir Garagulya
8
  Author URI: http://www.shinephp.com
9
  Text Domain: ure
81
 
82
  function ure_excludeAdminRole($roles) {
83
 
84
+ if (isset($roles['administrator'])){
85
  unset( $roles['administrator'] );
86
  }
87
 
93
 
94
  function ure_admin_jquery(){
95
  global $pagenow;
96
+ if ('users.php'==$pagenow){
97
  wp_enqueue_script('jquery');
98
  }
99
  }
134
  // end of ure_admin_user_hide()
135
 
136
 
137
+ // We have to vulnerable queries id users admin interfase which should be processed
138
+ // 1st: http://blogdomain.com/wp-admin/user-edit.php?user_id=ID&wp_http_referer=%2Fwp-admin%2Fusers.php
139
+ // 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
140
+ // If put Administrator user ID into such request, user with lower capabilities (if he has 'edit_users')
141
+ // can edit, delete admin record
142
+ // This function removes 'edit_users' capability from current user capabilities
143
+ // if request has admin user ID in it
144
+ function ure_not_edit_admin($allcaps, $caps, $name) {
145
+
146
+ global $ure_userToEdit;
147
+
148
+ $userKeys = array('user_id', 'user');
149
+ foreach ($userKeys as $userKey) {
150
+ $accessDeny = false;
151
+ if (isset($_GET[$userKey])) {
152
+ $ure_UserId = $_GET[$userKey];
153
+ if ($ure_UserId==1) { // built-in WordPress Admin
154
+ $accessDeny = true;
155
+ } else {
156
+ if (!isset($ure_userToEdit[$ure_UserId])) {
157
+ // check if user_id has Administrator role
158
+ $accessDeny = ure_is_admin($ure_UserId);
159
+ } else {
160
+ // user_id was checked already, get result from cash
161
+ $accessDeny = $ure_userToEdit[$ure_UserId];
162
+ }
163
+ }
164
+ if ($accessDeny) {
165
+ unset($allcaps['edit_users']);
166
+ }
167
+ break;
168
+ }
169
+ }
170
+
171
+ return $allcaps;
172
+ }
173
+ // end of ure_not_edit_admin()
174
+
175
+
176
  function ure_init() {
177
 
178
+ global $pagenow;
179
+
180
  if(function_exists('register_setting')) {
181
  register_setting('ure-options', 'ure_option');
182
  }
183
+ // these filters and actions should prevent editing users with administrator role
184
+ // by other users with 'edit_users' capabilities
185
  if (!current_user_can('level_10')) {
186
+ // Exclude administrator role from edit list.
187
+ add_filter('editable_roles', 'ure_excludeAdminRole');
188
  // Enqueue jQuery
189
  add_action('admin_enqueue_scripts' , 'ure_admin_jquery' );
190
  // Hide Administrator from list of users
191
  add_action('admin_head' , 'ure_admin_user_hide');
192
+ // prohibit any actions with user who has Administrator role
193
+ add_filter('user_has_cap', 'ure_not_edit_admin', 10, 3);
194
  }
195
 
 
196
  }
197
  // end of ure_init()
198