WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove 'fall through' points in map_meta_cap() as they can hide bugs. 

git-svn-id: http://core.svn.wordpress.org/trunk@21152 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2012-06-27 19:27:54 +00:00
parent b624dd94d5
commit 4add59f0c1
1 changed files with 27 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
wp-includes/capabilities.php
View File

@ -947,16 +947,16 @@ function map_meta_cap( $cap, $user_id ) {
$caps[] = 'promote_users'; $caps[] = 'promote_users';
break; break;
case 'edit_user': case 'edit_user':
// Allow user to edit itself
if ( isset( $args[0] ) && $user_id == $args[0] )
break;
// Fall through
case 'edit_users': case 'edit_users':
// Allow user to edit itself
if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] )
break;
// If multisite these caps are allowed only for super admins. // If multisite these caps are allowed only for super admins.
if ( is_multisite() && !is_super_admin( $user_id ) ) if ( is_multisite() && !is_super_admin( $user_id ) )
$caps[] = 'do_not_allow'; $caps[] = 'do_not_allow';
else else
$caps[] = 'edit_users'; // Explicit due to primitive fall through $caps[] = 'edit_users'; // edit_user maps to edit_users.
break; break;
case 'delete_post': case 'delete_post':
case 'delete_page': case 'delete_page':
@ -1130,17 +1130,24 @@ function map_meta_cap( $cap, $user_id ) {
// Disallow unfiltered_html for all users, even admins and super admins. // Disallow unfiltered_html for all users, even admins and super admins.
if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML ) if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML )
$caps[] = 'do_not_allow'; $caps[] = 'do_not_allow';
elseif ( is_multisite() && ! is_super_admin( $user_id ) )
$caps[] = 'do_not_allow';
else else
$caps[] = $cap; $caps[] = $cap;
break; break;
case 'edit_files': case 'edit_files':
case 'edit_plugins': case 'edit_plugins':
case 'edit_themes': case 'edit_themes':
if ( defined('DISALLOW_FILE_EDIT') && DISALLOW_FILE_EDIT ) { // Disallow the file editors.
if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT )
$caps[] = 'do_not_allow'; $caps[] = 'do_not_allow';
elseif ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
$caps[] = 'do_not_allow';
elseif ( is_multisite() && ! is_super_admin( $user_id ) )
$caps[] = 'do_not_allow';
else
$caps[] = $cap;
break; break;
}
// Fall through if not DISALLOW_FILE_EDIT.
case 'update_plugins': case 'update_plugins':
case 'delete_plugins': case 'delete_plugins':
case 'install_plugins': case 'install_plugins':
@ -1148,23 +1155,22 @@ function map_meta_cap( $cap, $user_id ) {
case 'delete_themes': case 'delete_themes':
case 'install_themes': case 'install_themes':
case 'update_core': case 'update_core':
// Disallow anything that creates, deletes, or edits core, plugin, or theme files. // Disallow anything that creates, deletes, or updates core, plugin, or theme files.
// Files in uploads are excepted. // Files in uploads are excepted.
if ( defined('DISALLOW_FILE_MODS') && DISALLOW_FILE_MODS ) { if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
$caps[] = 'do_not_allow'; $caps[] = 'do_not_allow';
elseif ( is_multisite() && ! is_super_admin( $user_id ) )
$caps[] = 'do_not_allow';
else
$caps[] = $cap;
break; break;
}
// Fall through if not DISALLOW_FILE_MODS.
case 'delete_user': case 'delete_user':
case 'delete_users': case 'delete_users':
// If multisite these caps are allowed only for super admins. // If multisite only super admins can delete users.
if ( is_multisite() && !is_super_admin( $user_id ) ) { if ( is_multisite() && ! is_super_admin( $user_id ) )
$caps[] = 'do_not_allow'; $caps[] = 'do_not_allow';
} else { else
if ( 'delete_user' == $cap ) $caps[] = 'delete_users'; // delete_user maps to delete_users.
$cap = 'delete_users';
$caps[] = $cap;
}
break; break;
case 'create_users': case 'create_users':
if ( !is_multisite() ) if ( !is_multisite() )