WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- don't pass user id to list_users check 

- only link the username if the edit_user cap check passes

see #13074


git-svn-id: http://svn.automattic.com/wordpress/trunk@14191 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
josephscott 2010-04-22 22:53:44 +00:00
parent 9356c4b72d
commit 47699849f7
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
wp-admin/includes/template.php
View File

@ -1812,7 +1812,7 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
$short_url = substr( $short_url, 0, 32 ).'...';
$checkbox = '';
// Check if the user for this row is editable
if ( current_user_can( 'list_users', $user_object->ID ) ) {
if ( current_user_can( 'list_users' ) ) {
// Set up the user editing link
// TODO: make profile/user-edit determination a separate function
if ($current_user->ID == $user_object->ID) {
@ -1825,8 +1825,13 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
// Set up the hover actions for this user
$actions = array();
if ( current_user_can('edit_user', $user_object->ID) )
if ( current_user_can('edit_user', $user_object->ID) ) {
$edit = "<strong><a href=\"$edit_link\">$user_object->user_login</a></strong><br />";
$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
} else {
$edit = "<strong>$user_object->user_login</strong><br />";
}
if ( !is_multisite() && $current_user->ID != $user_object->ID && current_user_can('delete_user', $user_object->ID) )
$actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("users.php?action=delete&amp;user=$user_object->ID", 'bulk-users') . "'>" . __('Delete') . "</a>";
if ( is_multisite() && $current_user->ID != $user_object->ID && current_user_can('remove_user', $user_object->ID) )