IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Multisite: Handle capability check for removing oneself via map_meta_cap().

Browse Source 
Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from `wp-admin/users.php` to `remove_user_from_blog()` via the `remove_user` capability, which furthermore allows us to get rid of two additional clauses and their `is_super_admin()` checks in `wp-admin/users.php`. A unit test for the new behavior has been added.

Fixes #39063. See #37616.

Built from https://develop.svn.wordpress.org/trunk@39588


git-svn-id: http://core.svn.wordpress.org/trunk@39528 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Felix Arntz
2016-12-12 21:42:42 +00:00
parent ee36cf9214
commit f704fc808a
3 changed files with 8 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
wp-admin/users.php
View File

@@ -321,10 +321,6 @@ case 'doremove':
$update = 'remove';
foreach ( $userids as $id ) {
$id = (int) $id;
if ( $id == $current_user->ID && !is_super_admin() ) {
$update = 'err_admin_remove';
continue;
}
if ( !current_user_can('remove_user', $id) ) {
$update = 'err_admin_remove';
continue;
@@ -377,10 +373,7 @@ case 'remove':
foreach ( $userids as $id ) {
$id = (int) $id;
$user = get_userdata( $id );
if ( $id == $current_user->ID && !is_super_admin() ) {
/* translators: 1: user id, 2: user login */
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>The current user will not be removed.</strong>'), $id, $user->user_login) . "</li>\n";
} elseif ( !current_user_can('remove_user', $id) ) {
if ( ! current_user_can( 'remove_user', $id ) ) {
/* translators: 1: user id, 2: user login */
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n";
} else {