Opened 5 years ago
Closed 3 years ago
#8073 closed defect (bug) (fixed)
process_members_type_updte not checking for 1edit_users' capability
Reported by: | Venutius | Owned by: | dcavins |
---|---|---|---|
Milestone: | 10.0.0 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Members | Keywords: | needs-patch good-first-bug |
Cc: |
Description
Whislt checking the permission checks in buddypress/bp-members/classes/class-bp-members-admin.php
I came across line 1228 which seems to omit the capability check for 'edit_users':
if ( ! bp_current_user_can( 'bp_moderate' ) && $user_id != bp_loggedin_user_id() ) {
I think this should be changed to:
if ( ! current_user_can( 'edit_users' ) && ! bp_current_user_can( 'bp_moderate' ) && $user_id != bp_loggedin_user_id() ) {
Change History (2)
Note: See
TracTickets for help on using
tickets.
Hi,
I'd like to see a patch about it, if this can happen, I'm fine with including it into 10.0.0