WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Users: Use `promote_users` for role updates in `edit_user()`. 

`edit_user()` can also update user roles but was still using the `edit_users` capability instead of the newer `promote_users` capability introduced in [14176].
This makes the role handling consistent with the bulk dropdown menu for role changes.

Props flixos90, johnjamesjacoby, ocean90.
Fixes #42564.
Built from https://develop.svn.wordpress.org/trunk@42855


git-svn-id: http://core.svn.wordpress.org/trunk@42685 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Dominik Schilling 2018-03-19 20:29:34 +00:00
parent 6fd9d2edcf
commit 61ba57abb7
2 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
wp-admin/includes/user.php
View File

@ -30,9 +30,10 @@ function add_user() {
function edit_user( $user_id = 0 ) { function edit_user( $user_id = 0 ) {
$wp_roles = wp_roles(); $wp_roles = wp_roles();
$user = new stdClass; $user = new stdClass;
$user_id = (int) $user_id;
if ( $user_id ) { if ( $user_id ) {
$update = true; $update = true;
$user->ID = (int) $user_id; $user->ID = $user_id;
$userdata = get_userdata( $user_id ); $userdata = get_userdata( $user_id );
$user->user_login = wp_slash( $userdata->user_login ); $user->user_login = wp_slash( $userdata->user_login );
} else { } else {
@ -51,20 +52,28 @@ function edit_user( $user_id = 0 ) {
$pass2 = $_POST['pass2']; $pass2 = $_POST['pass2'];
} }
if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { if ( isset( $_POST['role'] ) && current_user_can( 'promote_users' ) && ( ! $user_id || current_user_can( 'promote_user', $user_id ) ) ) {
$new_role = sanitize_text_field( $_POST['role'] ); $new_role = sanitize_text_field( $_POST['role'] );
$potential_role = isset( $wp_roles->role_objects[ $new_role ] ) ? $wp_roles->role_objects[ $new_role ] : false;
// Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
// Multisite super admins can freely edit their blog roles -- they possess all caps.
if ( ( is_multisite() && current_user_can( 'manage_sites' ) ) || $user_id != get_current_user_id() || ( $potential_role && $potential_role->has_cap( 'edit_users' ) ) ) {
$user->role = $new_role;
}
// If the new role isn't editable by the logged-in user die with error // If the new role isn't editable by the logged-in user die with error.
$editable_roles = get_editable_roles(); $editable_roles = get_editable_roles();
if ( ! empty( $new_role ) && empty( $editable_roles[ $new_role ] ) ) { if ( ! empty( $new_role ) && empty( $editable_roles[ $new_role ] ) ) {
wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 ); wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 );
} }
$potential_role = isset( $wp_roles->role_objects[ $new_role ] ) ? $wp_roles->role_objects[ $new_role ] : false;
/*
* Don't let anyone with 'promote_users' edit their own role to something without it.
* Multisite super admins can freely edit their roles, they possess all caps.
*/
if (
( is_multisite() && current_user_can( 'manage_network_users' ) ) ||
$user_id !== get_current_user_id() ||
( $potential_role && $potential_role->has_cap( 'promote_users' ) )
) {
$user->role = $new_role;
}
} }
if ( isset( $_POST['email'] ) ) { if ( isset( $_POST['email'] ) ) {

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.0-alpha-42852'; $wp_version = '5.0-alpha-42855';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.