New 'list_users' cap to provide more controls over listing users vs. editing

users. Apply this new cap to the 'Authors & Users' menu item and 'Users' page in wp-admin. Bump db version to 14139 to pick up the new cap. See #13074 git-svn-id: http://svn.automattic.com/wordpress/trunk@14189 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-04-22 19:48:13 +00:00 · 2010-04-22 19:48:13 +00:00 · e26aed0ac4
parent f4ccd9cac3
commit e26aed0ac4
7 changed files with 24 additions and 14 deletions
--- a/wp-admin/includes/schema.php
+++ b/wp-admin/includes/schema.php
@ -607,6 +607,7 @@ function populate_roles_300() {

 	if ( !empty( $role ) ) {
 		$role->add_cap( 'update_core' );
+		$role->add_cap( 'list_users' );
 		$role->add_cap( 'remove_users' );
 		$role->add_cap( 'add_users' );
 		$role->add_cap( 'promote_users' );
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@ -1812,7 +1812,7 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
 		$short_url = substr( $short_url, 0, 32 ).'...';
 	$checkbox = '';
 	// Check if the user for this row is editable
-	if ( current_user_can( 'edit_user', $user_object->ID ) ) {
+	if ( current_user_can( 'list_users', $user_object->ID ) ) {
 		// Set up the user editing link
 		// TODO: make profile/user-edit determination a separate function
 		if ($current_user->ID == $user_object->ID) {
@ -1824,7 +1824,9 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {

 		// Set up the hover actions for this user
 		$actions = array();
-		$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
+
+		if ( current_user_can('edit_user',  $user_object->ID) )
+			$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
 		if ( !is_multisite() && $current_user->ID != $user_object->ID && current_user_can('delete_user', $user_object->ID) )
 			$actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("users.php?action=delete&amp;user=$user_object->ID", 'bulk-users') . "'>" . __('Delete') . "</a>";
 		if ( is_multisite() && $current_user->ID != $user_object->ID && current_user_can('remove_user', $user_object->ID) )
--- a/wp-admin/includes/upgrade.php
+++ b/wp-admin/includes/upgrade.php
@ -440,7 +440,7 @@ function upgrade_all() {
 	if ( $wp_current_db_version < 11958 )
 		upgrade_290();

-	if ( $wp_current_db_version < 14138 )
+	if ( $wp_current_db_version < 14139 )
 		upgrade_300();

 	maybe_disable_automattic_widgets();
@ -1108,14 +1108,14 @@ function upgrade_290() {
 function upgrade_300() {
 	global $wp_current_db_version, $wpdb;

-	if ( $wp_current_db_version < 12751 ) {
+	if ( $wp_current_db_version < 14139 ) {
 		populate_roles_300();
 		if ( is_multisite() && is_main_site() && ! defined( 'MULTISITE' ) && get_site_option( 'siteurl' ) === false )
 			add_site_option( 'siteurl', '' );
 	}

 	// #11866 (Convert the taxonomy children cache into a transient) - Remove old cache.
-	if ( $wp_current_db_version < 14138 ) {
+	if ( $wp_current_db_version < 14139 ) {
 		foreach ( get_taxonomies( array('hierarchical' => true) )  as $taxonomy )
 			delete_option($taxonomy . '_children');
 	}
--- a/wp-admin/menu.php
+++ b/wp-admin/menu.php
@ -172,14 +172,14 @@ if ( is_super_admin() || ( is_multisite() && isset($menu_perms['plugins']) && $m
 }
 unset($menu_perms, $update_plugins, $update_count);

-if ( current_user_can('edit_users') )
-	$menu[70] = array( __('Users'), 'edit_users', 'users.php', '', 'menu-top menu-icon-users', 'menu-users', 'div' );
+if ( current_user_can('list_users') )
+	$menu[70] = array( __('Users'), 'list_users', 'users.php', '', 'menu-top menu-icon-users', 'menu-users', 'div' );
 else
 	$menu[70] = array( __('Profile'), 'read', 'profile.php', '', 'menu-top menu-icon-users', 'menu-users', 'div' );

-if ( current_user_can('edit_users') ) {
+if ( current_user_can('list_users') ) {
 	$_wp_real_parent_file['profile.php'] = 'users.php'; // Back-compat for plugins adding submenus to profile.php.
-	$submenu['users.php'][5] = array(__('Authors & Users'), 'edit_users', 'users.php');
+	$submenu['users.php'][5] = array(__('Authors & Users'), 'list_users', 'users.php');
 	$submenu['users.php'][10] = array(_x('Add New', 'user'), 'create_users', 'user-new.php');

 	$submenu['users.php'][15] = array(__('Your Profile'), 'read', 'profile.php');
--- a/wp-admin/users.php
+++ b/wp-admin/users.php
@ -12,7 +12,7 @@ require_once('./admin.php');
 /** WordPress Registration API */
 require_once( ABSPATH . WPINC . '/registration.php');

-if ( !current_user_can('edit_users') )
+if ( !current_user_can('list_users') )
 	wp_die(__('Cheatin&#8217; uh?'));

 $title = __('Users');
--- a/wp-includes/capabilities.php
+++ b/wp-includes/capabilities.php
@ -806,9 +806,16 @@ function map_meta_cap( $cap, $user_id ) {
 		$caps[] = 'promote_users';
 		break;
 	case 'edit_user':
-		if ( !isset( $args[0] ) || $user_id != $args[0] ) {
-			$caps[] = 'edit_users';
-		}
+		// Allow user to edit itself
+		if ( isset( $args[0] ) && $user_id == $args[0] )
+			break;
+		// Fall through
+	case 'edit_users':
+		// If multisite these caps are allowed only for super admins.
+		if ( is_multisite() && !is_super_admin() )
+			$caps[] = 'do_not_allow';
+		else
+			$caps[] = $cap;
 		break;
 	case 'delete_post':
 		$author_data = get_userdata( $user_id );
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -15,7 +15,7 @@ $wp_version = '3.0-beta1';
 *
 * @global int $wp_db_version
 */
-$wp_db_version = 14138;
+$wp_db_version = 14139;

 /**
 * Holds the TinyMCE version