Check delete_site and delete_sites caps. Check for delete_user is more places.

git-svn-id: http://svn.automattic.com/wordpress/trunk@16329 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2010-11-12 16:35:28 +00:00
parent dd1630305b
commit f5282d040d
3 changed files with 27 additions and 8 deletions

View File

@ -115,7 +115,8 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
function get_bulk_actions() {
$actions = array();
$actions['delete'] = __( 'Delete' );
if ( current_user_can( 'delete_sites' ) )
$actions['delete'] = __( 'Delete' );
$actions['spam'] = _x( 'Mark as Spam', 'site' );
$actions['notspam'] = _x( 'Not Spam', 'site' );
@ -247,7 +248,8 @@ class WP_MS_Sites_List_Table extends WP_List_Table {
else
$actions['spam'] = '<span class="spam"><a href="' . esc_url( network_admin_url( 'edit.php?action=confirm&amp;action2=spamblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to mark the site %s as spam.' ), $blogname ) ) ) ) . '">' . _x( 'Spam', 'site' ) . '</a></span>';
$actions['delete'] = '<span class="delete"><a href="' . esc_url( network_admin_url( 'edit.php?action=confirm&amp;action2=deleteblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to delete the site %s.' ), $blogname ) ) ) ) . '">' . __( 'Delete' ) . '</a></span>';
if ( current_user_can( 'delete_site', $blog['blog_id'] ) )
$actions['delete'] = '<span class="delete"><a href="' . esc_url( network_admin_url( 'edit.php?action=confirm&amp;action2=deleteblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to delete the site %s.' ), $blogname ) ) ) ) . '">' . __( 'Delete' ) . '</a></span>';
}
$actions['visit'] = "<span class='view'><a href='" . esc_url( get_home_url( $blog['blog_id'] ) ) . "' rel='permalink'>" . __( 'Visit' ) . '</a></span>';

View File

@ -36,6 +36,9 @@ function confirm_delete_users( $users ) {
if ( $val != '' && $val != '0' ) {
$delete_user = new WP_User( $val );
if ( ! current_user_can( 'delete_user', $delete_user->ID ) )
wp_die( sprintf( __( 'Warning! User %s cannot be deleted.' ), $delete_user->user_login ) );
if ( in_array( $delete_user->user_login, $site_admins ) )
wp_die( sprintf( __( 'Warning! User cannot be deleted. The user %s is a network admnistrator.' ), $delete_user->user_login ) );
@ -166,13 +169,16 @@ switch ( $_GET['action'] ) {
case 'deleteblog':
check_admin_referer('deleteblog');
if ( ! current_user_can( 'manage_sites' ) )
if ( ! ( current_user_can( 'manage_sites' ) && current_user_can( 'delete_sites' ) ) )
wp_die( __( 'You do not have permission to access this page.' ) );
if ( $id != '0' && $id != $current_site->blog_id )
if ( $id != '0' && $id != $current_site->blog_id && current_user_can ( 'delete_site', $id ) ) {
wpmu_delete_blog( $id, true );
wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) );
wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) );
} else {
wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'not_deleted' ), wp_get_referer() ) );
}
exit();
break;
@ -191,6 +197,8 @@ switch ( $_GET['action'] ) {
if ( $val != '0' && $val != $current_site->blog_id ) {
switch ( $doaction ) {
case 'delete':
if ( ! current_user_can( 'delete_site', $val ) )
wp_die( __( 'You are not allowed to delete the site.' ) );
$blogfunction = 'all_delete';
wpmu_delete_blog( $val, true );
break;
@ -359,7 +367,7 @@ switch ( $_GET['action'] ) {
break;
case 'allusers':
if ( ! current_user_can( 'manage_network_users' ) )
if ( current_user_can( 'manage_network_users' ) )
wp_die( __( 'You do not have permission to access this page.' ) );
if ( isset( $_POST['doaction']) || isset($_POST['doaction2'] ) ) {
@ -372,6 +380,8 @@ switch ( $_GET['action'] ) {
if ( !empty( $val ) ) {
switch ( $doaction ) {
case 'delete':
if ( ! current_user_can( 'delete_users' ) )
wp_die( __( 'You do not have permission to access this page.' ) );
$title = __( 'Users' );
$parent_file = 'users.php';
require_once( '../admin-header.php' );
@ -417,12 +427,15 @@ switch ( $_GET['action'] ) {
case 'dodelete':
check_admin_referer( 'ms-users-delete' );
if ( ! current_user_can( 'manage_network_users' ) )
if ( ! ( current_user_can( 'manage_network_users' ) && current_user_can( 'delete_users' ) ) )
wp_die( __( 'You do not have permission to access this page.' ) );
if ( ! empty( $_POST['blog'] ) && is_array( $_POST['blog'] ) ) {
foreach ( $_POST['blog'] as $id => $users ) {
foreach ( $users as $blogid => $user_id ) {
if ( ! current_user_can( 'delete_user', $id ) )
continue;
if ( ! empty( $_POST['delete'] ) && 'reassign' == $_POST['delete'][$blogid][$id] )
remove_user_from_blog( $id, $blogid, $user_id );
else
@ -433,6 +446,8 @@ switch ( $_GET['action'] ) {
$i = 0;
if ( is_array( $_POST['user'] ) && ! empty( $_POST['user'] ) )
foreach( $_POST['user'] as $id ) {
if ( ! current_user_can( 'delete_user', $id ) )
continue;
wpmu_delete_user( $id );
$i++;
}

View File

@ -54,6 +54,8 @@ if ( isset( $_REQUEST['updated'] ) && $_REQUEST['updated'] == 'true' && ! empty(
break;
case 'delete':
$msg = __( 'Site deleted.' );
case 'not_deleted':
$msg = __( 'You do not have permission to delete that site.' );
break;
case 'archive':
$msg = __( 'Site archived.' );