Move add/remove super admin out of bulk edit and into user-edit.php. Introduce grant_super_admin() and revoke_super_admin(). Link to profile.php in ms-users user row for current user. Add defensive check by forcing IS_PROFILE_PAGE on user-edit if trying to edit your own user_id. see #12460

git-svn-id: http://svn.automattic.com/wordpress/trunk@13941 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2010-04-02 06:46:07 +00:00
parent ee058cca62
commit 7b55c4688a
4 changed files with 76 additions and 64 deletions

View File

@ -793,4 +793,42 @@ function _admin_notice_multisite_activate_plugins_page() {
echo "<div class='error'><p>$message</p></div>"; echo "<div class='error'><p>$message</p></div>";
} }
/**
* Grants super admin privileges.
*
* @since 3.0.0
* @param $user_id
*/
function grant_super_admin( $user_id ) {
$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
$user = new WP_User( $user_id );
if ( ! in_array( $user->user_login, $super_admins ) ) {
$super_admins[] = $user->user_login;
update_site_option( 'site_admins' , $super_admins );
}
}
/**
* Revokes super admin privileges.
*
* @since 3.0.0
* @param $user_id
*/
function revoke_super_admin( $user_id ) {
$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
$admin_email = get_site_option( 'admin_email' );
$user = new WP_User( $user_id );
if ( $user->ID != $current_user->ID || $user->user_email != $admin_email ) {
foreach ( $super_admins as $key => $username ) {
if ( $username == $user->user_login ) {
unset( $super_admins[$key] );
break;
}
}
}
update_site_option( 'site_admins' , $super_admins );
}
?> ?>

View File

@ -524,7 +524,7 @@ switch ( $_GET['action'] ) {
$doaction = $_POST['action'] != -1 ? $_POST['action'] : $_POST['action2']; $doaction = $_POST['action'] != -1 ? $_POST['action'] : $_POST['action2'];
foreach ( (array) $_POST['allusers'] as $key => $val ) { foreach ( (array) $_POST['allusers'] as $key => $val ) {
if ( $val != '' || $val != '0' ) { if ( !empty( $val ) ) {
switch ( $doaction ) { switch ( $doaction ) {
case 'delete': case 'delete':
$title = __( 'Users' ); $title = __( 'Users' );
@ -539,34 +539,12 @@ switch ( $_GET['action'] ) {
case 'superadmin': case 'superadmin':
$userfunction = 'add_superadmin'; $userfunction = 'add_superadmin';
$super_admins = get_site_option( 'site_admins', array( 'admin' ) ); grant_super_admin( $val );
$user = new WP_User( $val );
if ( ! in_array( $user->user_login, $super_admins ) ) {
if ( $current_site->blog_id )
add_user_to_blog( $current_site->blog_id, $user->ID, 'administrator' );
$super_admins[] = $user->user_login;
update_site_option( 'site_admins' , $super_admins );
}
break; break;
case 'notsuperadmin': case 'notsuperadmin':
$userfunction = 'remove_superadmin'; $userfunction = 'remove_superadmin';
$super_admins = get_site_option( 'site_admins', array( 'admin' ) ); revoke_super_admin( $val );
$admin_email = get_site_option( 'admin_email' );
$user = new WP_User( $val );
if ( $user->ID != $current_user->ID || $user->user_email != $admin_email ) {
foreach ( $super_admins as $key => $username ) {
if ( $username == $user->user_login ) {
unset( $super_admins[$key] );
break;
}
}
}
update_site_option( 'site_admins' , $super_admins );
break; break;
case 'spam': case 'spam':

View File

@ -34,12 +34,6 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
case 'add': case 'add':
_e( 'User added.' ); _e( 'User added.' );
break; break;
case 'add_superadmin':
_e( 'Network admin added.' );
break;
case 'remove_superadmin':
_e( 'Network admin removed.' );
break;
} }
?> ?>
</p></div> </p></div>
@ -128,10 +122,8 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
<select name="action"> <select name="action">
<option value="-1" selected="selected"><?php _e( 'Bulk Actions' ); ?></option> <option value="-1" selected="selected"><?php _e( 'Bulk Actions' ); ?></option>
<option value="delete"><?php _e( 'Delete' ); ?></option> <option value="delete"><?php _e( 'Delete' ); ?></option>
<option value="spam"><?php _e( 'Mark as Spammers' ); ?></option> <option value="spam"><?php _e( 'Mark as Spam' ); ?></option>
<option value="notspam"><?php _e( 'Not Spam' ); ?></option> <option value="notspam"><?php _e( 'Not Spam' ); ?></option>
<option value="superadmin"><?php _e( 'Add Super Admins' ); ?></option>
<option value="notsuperadmin"><?php _e( 'Remove Super Admins' ); ?></option>
</select> </select>
<input type="submit" value="<?php esc_attr_e( 'Apply' ); ?>" name="doaction" id="doaction" class="button-secondary action" /> <input type="submit" value="<?php esc_attr_e( 'Apply' ); ?>" name="doaction" id="doaction" class="button-secondary action" />
<?php wp_nonce_field( 'bulk-ms-users' ); ?> <?php wp_nonce_field( 'bulk-ms-users' ); ?>
@ -227,15 +219,16 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
case 'login': case 'login':
$avatar = get_avatar( $user['user_email'], 32 ); $avatar = get_avatar( $user['user_email'], 32 );
$edit_link = ( $current_user->ID == $user['ID'] ) ? 'profile.php' : 'user-edit.php?user_id=' . $user['ID'];
?> ?>
<td class="username column-username"> <td class="username column-username">
<?php echo $avatar; ?><strong><a href="<?php echo esc_url( admin_url( 'user-edit.php?user_id=' . $user['ID'] ) ); ?>" class="edit"><?php echo stripslashes( $user['user_login'] ); ?></a><?php <?php echo $avatar; ?><strong><a href="<?php echo esc_url( admin_url( $edit_link ) ); ?>" class="edit"><?php echo stripslashes( $user['user_login'] ); ?></a><?php
if ( in_array( $user['user_login'], $super_admins ) ) if ( in_array( $user['user_login'], $super_admins ) )
echo ' - ' . __( 'Super admin' ); echo ' - ' . __( 'Super admin' );
?></strong> ?></strong>
<br/> <br/>
<div class="row-actions"> <div class="row-actions">
<span class="edit"><a href="<?php echo esc_url( admin_url( 'user-edit.php?user_id=' . $user['ID'] ) ); ?>"><?php _e( 'Edit'); ?></a></span> <span class="edit"><a href="<?php echo esc_url( admin_url( $edit_link ) ); ?>"><?php _e( 'Edit' ); ?></a></span>
<?php if ( ! in_array( $user['user_login'], $super_admins ) ) { ?> <?php if ( ! in_array( $user['user_login'], $super_admins ) ) { ?>
| <span class="delete"><a href="<?php echo $delete = esc_url( admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'ms-edit.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user['ID'] ) ) ); ?>" class="delete"><?php _e( 'Delete' ); ?></a></span> | <span class="delete"><a href="<?php echo $delete = esc_url( admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'ms-edit.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user['ID'] ) ) ); ?>" class="delete"><?php _e( 'Delete' ); ?></a></span>
<?php } ?> <?php } ?>
@ -323,10 +316,8 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
<select name="action2"> <select name="action2">
<option value="-1" selected="selected"><?php _e( 'Bulk Actions' ); ?></option> <option value="-1" selected="selected"><?php _e( 'Bulk Actions' ); ?></option>
<option value="delete"><?php _e( 'Delete' ); ?></option> <option value="delete"><?php _e( 'Delete' ); ?></option>
<option value="spam"><?php _e( 'Mark as Spammers' ); ?></option> <option value="spam"><?php _e( 'Mark as Spam' ); ?></option>
<option value="notspam"><?php _e( 'Not Spam' ); ?></option> <option value="notspam"><?php _e( 'Not Spam' ); ?></option>
<option value="superadmin"><?php _e( 'Add Super Admins' ); ?></option>
<option value="notsuperadmin"><?php _e( 'Remove Super Admins' ); ?></option>
</select> </select>
<input type="submit" value="<?php esc_attr_e( 'Apply' ); ?>" name="doaction2" id="doaction2" class="button-secondary action" /> <input type="submit" value="<?php esc_attr_e( 'Apply' ); ?>" name="doaction2" id="doaction2" class="button-secondary action" />
</div> </div>

View File

@ -9,8 +9,19 @@
/** WordPress Administration Bootstrap */ /** WordPress Administration Bootstrap */
require_once('admin.php'); require_once('admin.php');
wp_reset_vars(array('action', 'redirect', 'profile', 'user_id', 'wp_http_referer'));
$user_id = (int) $user_id;
$current_user = wp_get_current_user();
if ( ! defined( 'IS_PROFILE_PAGE' ) ) if ( ! defined( 'IS_PROFILE_PAGE' ) )
define('IS_PROFILE_PAGE', false); define( 'IS_PROFILE_PAGE', ( $user_id == $current_user->ID ) );
if ( ! $user_id && IS_PROFILE_PAGE )
$user_id = $current_user->ID;
elseif ( ! $user_id && ! IS_PROFILE_PAGE )
wp_die(__( 'Invalid user ID.' ) );
elseif ( ! get_userdata( $user_id ) )
wp_die( __('Invalid user ID.') );
wp_enqueue_script('user-profile'); wp_enqueue_script('user-profile');
wp_enqueue_script('password-strength-meter'); wp_enqueue_script('password-strength-meter');
@ -22,23 +33,8 @@ else
$submenu_file = 'profile.php'; $submenu_file = 'profile.php';
$parent_file = 'users.php'; $parent_file = 'users.php';
wp_reset_vars(array('action', 'redirect', 'profile', 'user_id', 'wp_http_referer'));
$wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer)); $wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer));
$user_id = (int) $user_id;
if ( !$user_id ) {
if ( IS_PROFILE_PAGE ) {
$current_user = wp_get_current_user();
$user_id = $current_user->ID;
} else {
wp_die(__('Invalid user ID.'));
}
} elseif ( !get_userdata($user_id) ) {
wp_die( __('Invalid user ID.') );
}
$all_post_caps = array('posts', 'pages'); $all_post_caps = array('posts', 'pages');
$user_can_edit = false; $user_can_edit = false;
foreach ( $all_post_caps as $post_cap ) foreach ( $all_post_caps as $post_cap )
@ -123,7 +119,10 @@ if ( !is_multisite() ) {
if ( !isset( $errors ) || ( isset( $errors ) && is_object( $errors ) && false == $errors->get_error_codes() ) ) if ( !isset( $errors ) || ( isset( $errors ) && is_object( $errors ) && false == $errors->get_error_codes() ) )
$errors = edit_user($user_id); $errors = edit_user($user_id);
if ( $delete_role ) // stops users being added to current blog when they are edited if ( $delete_role ) // stops users being added to current blog when they are edited
update_user_meta( $user_id, $blog_prefix . 'capabilities' , '' ); delete_user_meta( $user_id, $blog_prefix . 'capabilities' );
if ( is_multisite() && is_super_admin() && !IS_PROFILE_PAGE )
empty( $_POST['super_admin'] ) ? revoke_super_admin( $user_id ) : grant_super_admin( $user_id );
} }
if ( !is_wp_error( $errors ) ) { if ( !is_wp_error( $errors ) ) {
@ -142,6 +141,9 @@ if ( !current_user_can('edit_user', $user_id) )
include ('admin-header.php'); include ('admin-header.php');
?> ?>
<?php if ( !IS_PROFILE_PAGE && is_super_admin( $profileuser->ID ) ) { ?>
<div class="updated"><p><strong><?php _e('Important:'); ?></strong> <?php _e('This user has super admin privileges.'); ?></p></div>
<?php } ?>
<?php if ( isset($_GET['updated']) ) : ?> <?php if ( isset($_GET['updated']) ) : ?>
<div id="message" class="updated"> <div id="message" class="updated">
<p><strong><?php _e('User updated.') ?></strong></p> <p><strong><?php _e('User updated.') ?></strong></p>
@ -165,7 +167,7 @@ include ('admin-header.php');
<?php screen_icon(); ?> <?php screen_icon(); ?>
<h2><?php echo esc_html( $title ); ?></h2> <h2><?php echo esc_html( $title ); ?></h2>
<form id="your-profile" action="<?php if ( IS_PROFILE_PAGE ) { echo admin_url('profile.php'); } else { echo admin_url('user-edit.php'); } ?>" method="post"> <form id="your-profile" action="<?php echo esc_url( admin_url( IS_PROFILE_PAGE ? 'profile.php' : 'user-edit.php' ) ); ?>" method="post">
<?php wp_nonce_field('update-user_' . $user_id) ?> <?php wp_nonce_field('update-user_' . $user_id) ?>
<?php if ( $wp_http_referer ) : ?> <?php if ( $wp_http_referer ) : ?>
<input type="hidden" name="wp_http_referer" value="<?php echo esc_url($wp_http_referer); ?>" /> <input type="hidden" name="wp_http_referer" value="<?php echo esc_url($wp_http_referer); ?>" />
@ -232,7 +234,11 @@ if ( $user_role )
else else
echo '<option value="" selected="selected">' . __('&mdash; No role for this blog &mdash;') . '</option>'; echo '<option value="" selected="selected">' . __('&mdash; No role for this blog &mdash;') . '</option>';
?> ?>
</select></td></tr> </select>
<?php if ( is_multisite() && is_super_admin() ) { ?>
<p><label><input type="checkbox" id="super_admin" name="super_admin"<?php checked( is_super_admin( $profileuser->ID ) ); ?> /> <?php _e( 'Grant this user super admin privileges for the Network.'); ?></label></p>
<?php } ?>
</td></tr>
<?php endif; //!IS_PROFILE_PAGE ?> <?php endif; //!IS_PROFILE_PAGE ?>
<tr> <tr>
@ -331,11 +337,10 @@ if ( $show_password_fields ) :
</table> </table>
<?php <?php
if ( IS_PROFILE_PAGE ) { if ( IS_PROFILE_PAGE )
do_action( 'show_user_profile', $profileuser ); do_action( 'show_user_profile', $profileuser );
} else { else
do_action( 'edit_user_profile', $profileuser ); do_action( 'edit_user_profile', $profileuser );
}
?> ?>
<?php if ( count($profileuser->caps) > count($profileuser->roles) && apply_filters('additional_capabilities_display', true, $profileuser) ) { ?> <?php if ( count($profileuser->caps) > count($profileuser->roles) && apply_filters('additional_capabilities_display', true, $profileuser) ) { ?>