Skip to:
Content

BuddyPress.org

Opened 5 years ago

Closed 2 years ago

#8070 closed defect (bug) (fixed)

Missing 'edit_users' check in member_can_edit()

Reported by: venutius's profile Venutius Owned by: dcavins's profile dcavins
Milestone: 10.0.0 Priority: normal
Severity: normal Version: 4.2.0
Component: Members Keywords: needs-patch good-first-bug
Cc:

Description

There seems to be a missing check for edit_users capability in the member_can_edit function on line 329 of bussypress/bp-members/classes/class-bp-members-admin.php:

$retval = bp_current_user_can( 'bp_moderate' );

This could be changed to:

$retval = ( bp_current_user_can( 'bp_moderate' ) || current_user_can( 'edit_users' ) );

Change History (2)

#1 @imath
2 years ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 10.0.0

Hi @Venutius

Thanks for your feedback. I believe the bp_moderate cap should include in a way the edit_users cap as it is dynamically added to Administrators or Super Administrators on multisite. See https://wordpress.org/support/article/roles-and-capabilities/

I guess the need for the edit_users check is linked to custom roles?

I'd like to see a patch about it, if this can happen, I'm fine with including it into 10.0.0

#2 @dcavins
2 years ago

  • Owner set to dcavins
  • Resolution set to fixed
  • Status changed from new to closed

In 13161:

In BP_Members_Admin, add checks for 'edit_users' capability.

BP_Members_Admin checks the bp_moderate
capability in several situations when
checking whether or not the user can
generally edit users is also a sensible check.

Props venutius.

Fixes #8070.
Fixes #8072.
Fixes #8073.

Note: See TracTickets for help on using tickets.