Multisite: Handle capability check for removing oneself via `map_meta_cap()`.
Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from `wp-admin/users.php` to `remove_user_from_blog()` via the `remove_user` capability, which furthermore allows us to get rid of two additional clauses and their `is_super_admin()` checks in `wp-admin/users.php`. A unit test for the new behavior has been added. Fixes #39063. See #37616. Built from https://develop.svn.wordpress.org/trunk@39588 git-svn-id: http://core.svn.wordpress.org/trunk@39528 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
ee36cf9214
commit
f704fc808a
|
@ -321,10 +321,6 @@ case 'doremove':
|
||||||
$update = 'remove';
|
$update = 'remove';
|
||||||
foreach ( $userids as $id ) {
|
foreach ( $userids as $id ) {
|
||||||
$id = (int) $id;
|
$id = (int) $id;
|
||||||
if ( $id == $current_user->ID && !is_super_admin() ) {
|
|
||||||
$update = 'err_admin_remove';
|
|
||||||
continue;
|
|
||||||
}
|
|
||||||
if ( !current_user_can('remove_user', $id) ) {
|
if ( !current_user_can('remove_user', $id) ) {
|
||||||
$update = 'err_admin_remove';
|
$update = 'err_admin_remove';
|
||||||
continue;
|
continue;
|
||||||
|
@ -377,10 +373,7 @@ case 'remove':
|
||||||
foreach ( $userids as $id ) {
|
foreach ( $userids as $id ) {
|
||||||
$id = (int) $id;
|
$id = (int) $id;
|
||||||
$user = get_userdata( $id );
|
$user = get_userdata( $id );
|
||||||
if ( $id == $current_user->ID && !is_super_admin() ) {
|
if ( ! current_user_can( 'remove_user', $id ) ) {
|
||||||
/* translators: 1: user id, 2: user login */
|
|
||||||
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>The current user will not be removed.</strong>'), $id, $user->user_login) . "</li>\n";
|
|
||||||
} elseif ( !current_user_can('remove_user', $id) ) {
|
|
||||||
/* translators: 1: user id, 2: user login */
|
/* translators: 1: user id, 2: user login */
|
||||||
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n";
|
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n";
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -32,7 +32,12 @@ function map_meta_cap( $cap, $user_id ) {
|
||||||
|
|
||||||
switch ( $cap ) {
|
switch ( $cap ) {
|
||||||
case 'remove_user':
|
case 'remove_user':
|
||||||
|
// In multisite the user must be a super admin to remove themselves.
|
||||||
|
if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) {
|
||||||
|
$caps[] = 'do_not_allow';
|
||||||
|
} else {
|
||||||
$caps[] = 'remove_users';
|
$caps[] = 'remove_users';
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case 'promote_user':
|
case 'promote_user':
|
||||||
case 'add_users':
|
case 'add_users':
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
*
|
*
|
||||||
* @global string $wp_version
|
* @global string $wp_version
|
||||||
*/
|
*/
|
||||||
$wp_version = '4.8-alpha-39586';
|
$wp_version = '4.8-alpha-39588';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||||
|
|
Loading…
Reference in New Issue