Skip to:
Content

BuddyPress.org

Opened 3 years ago

Last modified 3 weeks ago

#8070 new defect (bug)

Missing 'edit_users' check in member_can_edit()

Reported by: Venutius Owned by:
Milestone: 10.0.0 Priority: normal
Severity: normal Version: 4.2.0
Component: Members Keywords: needs-patch good-first-bug
Cc:

Description

There seems to be a missing check for edit_users capability in the member_can_edit function on line 329 of bussypress/bp-members/classes/class-bp-members-admin.php:

$retval = bp_current_user_can( 'bp_moderate' );

This could be changed to:

$retval = ( bp_current_user_can( 'bp_moderate' ) || current_user_can( 'edit_users' ) );

Change History (1)

#1 @imath
3 weeks ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 10.0.0

Hi @Venutius

Thanks for your feedback. I believe the bp_moderate cap should include in a way the edit_users cap as it is dynamically added to Administrators or Super Administrators on multisite. See https://wordpress.org/support/article/roles-and-capabilities/

I guess the need for the edit_users check is linked to custom roles?

I'd like to see a patch about it, if this can happen, I'm fine with including it into 10.0.0

Note: See TracTickets for help on using tickets.