WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Multisite: Handle capability check for removing oneself via `map_meta_cap()`. 

Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from `wp-admin/users.php` to `remove_user_from_blog()` via the `remove_user` capability, which furthermore allows us to get rid of two additional clauses and their `is_super_admin()` checks in `wp-admin/users.php`. A unit test for the new behavior has been added.

Fixes #39063. See #37616.

Built from https://develop.svn.wordpress.org/trunk@39588


git-svn-id: http://core.svn.wordpress.org/trunk@39528 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Felix Arntz 2016-12-12 21:42:42 +00:00
parent ee36cf9214
commit f704fc808a
3 changed files with 8 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
wp-admin/users.php
View File

@ -321,10 +321,6 @@ case 'doremove':
$update = 'remove'; $update = 'remove';
foreach ( $userids as $id ) { foreach ( $userids as $id ) {
$id = (int) $id; $id = (int) $id;
if ( $id == $current_user->ID && !is_super_admin() ) {
$update = 'err_admin_remove';
continue;
}
if ( !current_user_can('remove_user', $id) ) { if ( !current_user_can('remove_user', $id) ) {
$update = 'err_admin_remove'; $update = 'err_admin_remove';
continue; continue;
@ -377,10 +373,7 @@ case 'remove':
foreach ( $userids as $id ) { foreach ( $userids as $id ) {
$id = (int) $id; $id = (int) $id;
$user = get_userdata( $id ); $user = get_userdata( $id );
if ( $id == $current_user->ID && !is_super_admin() ) { if ( ! current_user_can( 'remove_user', $id ) ) {
/* translators: 1: user id, 2: user login */
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>The current user will not be removed.</strong>'), $id, $user->user_login) . "</li>\n";
} elseif ( !current_user_can('remove_user', $id) ) {
/* translators: 1: user id, 2: user login */ /* translators: 1: user id, 2: user login */
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n"; echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n";
} else { } else {

7
wp-includes/capabilities.php
View File

@ -32,7 +32,12 @@ function map_meta_cap( $cap, $user_id ) {
switch ( $cap ) { switch ( $cap ) {
case 'remove_user': case 'remove_user':
$caps[] = 'remove_users'; // In multisite the user must be a super admin to remove themselves.
if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) {
$caps[] = 'do_not_allow';
} else {
$caps[] = 'remove_users';
}
break; break;
case 'promote_user': case 'promote_user':
case 'add_users': case 'add_users':

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.8-alpha-39586'; $wp_version = '4.8-alpha-39588';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.