From 1451ebc0d14181b8df1eac89a90addbbf2e5befe Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Thu, 8 Oct 2015 21:59:25 +0000 Subject: [PATCH] On the Users list table, show all the roles of a user in a comma-separated list if they have more than one role. This prevents role obfuscation in situations where a user has had more than one role programmatically assigned to them. Fixes #22959 Props scribu, JustinSainton, DrewAPicture, johnbillion Built from https://develop.svn.wordpress.org/trunk@34963 git-svn-id: http://core.svn.wordpress.org/trunk@34928 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- .../includes/class-wp-users-list-table.php | 65 ++++++++++++++----- wp-includes/version.php | 2 +- 2 files changed, 51 insertions(+), 16 deletions(-) diff --git a/wp-admin/includes/class-wp-users-list-table.php b/wp-admin/includes/class-wp-users-list-table.php index 73d2fd30a6..852552c703 100644 --- a/wp-admin/includes/class-wp-users-list-table.php +++ b/wp-admin/includes/class-wp-users-list-table.php @@ -324,21 +324,11 @@ class WP_Users_List_Table extends WP_List_Table { if ( ! $this->is_site_users ) $post_counts = count_many_users_posts( array_keys( $this->items ) ); - $editable_roles = array_keys( get_editable_roles() ); - foreach ( $this->items as $userid => $user_object ) { - if ( count( $user_object->roles ) <= 1 ) { - $role = reset( $user_object->roles ); - } elseif ( $roles = array_intersect( array_values( $user_object->roles ), $editable_roles ) ) { - $role = reset( $roles ); - } else { - $role = reset( $user_object->roles ); - } - if ( is_multisite() && empty( $user_object->allcaps ) ) continue; - echo "\n\t" . $this->single_row( $user_object, $style = '', $role, isset( $post_counts ) ? $post_counts[ $userid ] : 0 ); + echo "\n\t" . $this->single_row( $user_object, '', '', isset( $post_counts ) ? $post_counts[ $userid ] : 0 ); } } @@ -346,12 +336,13 @@ class WP_Users_List_Table extends WP_List_Table { * Generate HTML for a single row on the users.php admin panel. * * @since 3.1.0 - * @since 4.2.0 The `$style` argument was deprecated. + * @since 4.2.0 The `$style` parameter was deprecated. + * @since 4.4.0 The `$role` parameter was deprecated. * @access public * * @param object $user_object The current user object. * @param string $style Deprecated. Not used. - * @param string $role Optional. Key for the $wp_roles array. Default empty. + * @param string $role Deprecated. Not used. * @param int $numposts Optional. Post count to display for this user. Defaults * to zero, as in, a new user has made zero posts. * @return string Output for a single row. @@ -370,6 +361,8 @@ class WP_Users_List_Table extends WP_List_Table { else $url = 'users.php?'; + $user_roles = $this->get_role_list( $user_object ); + // Set up the hover actions for this user $actions = array(); $checkbox = ''; @@ -402,9 +395,12 @@ class WP_Users_List_Table extends WP_List_Table { */ $actions = apply_filters( 'user_row_actions', $actions, $user_object ); + // Role classes. + $role_classes = esc_attr( implode( ' ', array_keys( $user_roles ) ) ); + // Set up the checkbox ( because the user is editable, otherwise it's empty ) $checkbox = '' - . ""; + . ""; } else { $edit = '' . $user_object->user_login . ''; @@ -412,6 +408,9 @@ class WP_Users_List_Table extends WP_List_Table { $role_name = isset( $wp_roles->role_names[$role] ) ? translate_user_role( $wp_roles->role_names[$role] ) : __( 'None' ); $avatar = get_avatar( $user_object->ID, 32 ); + // Comma-separated list of user roles. + $roles_list = implode( ', ', $user_roles ); + $r = ""; list( $columns, $hidden, $sortable, $primary ) = $this->get_column_info(); @@ -448,7 +447,7 @@ class WP_Users_List_Table extends WP_List_Table { $r .= "$email"; break; case 'role': - $r .= $role_name; + $r .= esc_html( $roles_list ); break; case 'posts': if ( $numposts > 0 ) { @@ -495,4 +494,40 @@ class WP_Users_List_Table extends WP_List_Table { protected function get_default_primary_column_name() { return 'username'; } + + /** + * Returns an array of user roles for a given user object. + * + * @since 4.4.0 + * @access protected + * + * @param WP_User $user_object The WP_User object. + * @return array An array of user roles. + */ + protected function get_role_list( $user_object ) { + global $wp_roles; + + $role_list = array(); + + foreach ( $user_object->roles as $role ) { + if ( isset( $wp_roles->role_names[ $role ] ) ) { + $role_list[ $role ] = translate_user_role( $wp_roles->role_names[ $role ] ); + } + } + + if ( empty( $role_list ) ) { + $role_list['none'] = _x( 'None', 'no user roles' ); + } + + /** + * Filter the returned array of roles for a user. + * + * @since 4.4.0 + * + * @param array $role_list An array of user roles. + * @param WP_User $user_object A WP_User object. + */ + return apply_filters( 'get_role_list', $role_list, $user_object ); + } + } diff --git a/wp-includes/version.php b/wp-includes/version.php index 58c9e2c9bb..656b9c8703 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.4-alpha-34962'; +$wp_version = '4.4-alpha-34963'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.