sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move wp_redirect calls to the end of the switch in users.php. Fix unrelated bug where the user's cap should be check, rather than their role's cap. see #16166.

Browse Source 
git-svn-id: https://develop.svn.wordpress.org/trunk@17275 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Nacin 2011-01-13 00:22:53 +00:00
parent b6cd198d8e
commit 166014d76e
1 changed files with 30 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
wp-admin/users.php
View File

@ -42,16 +42,16 @@ if ( empty($_REQUEST) ) {
$update = ''; $update = '';
switch ( $wp_list_table->current_action() ) { if ( $doaction = $wp_list_table->current_action() ) {
switch ( $doaction ) {
/* Bulk Dropdown menu Role changes */ /* Bulk Dropdown menu Role changes */
case 'promote': case 'promote':
check_admin_referer('bulk-users'); check_admin_referer('bulk-users');
if ( empty($_REQUEST['users']) ) { if ( empty($_REQUEST['users']) )
wp_redirect($redirect); break;
exit();
}
$editable_roles = get_editable_roles(); $editable_roles = get_editable_roles();
if ( empty( $editable_roles[$_REQUEST['new_role']] ) ) if ( empty( $editable_roles[$_REQUEST['new_role']] ) )
@ -65,7 +65,7 @@ case 'promote':
if ( ! current_user_can('promote_user', $id) ) if ( ! current_user_can('promote_user', $id) )
wp_die(__('You can’t edit that user.')); wp_die(__('You can’t edit that user.'));
// The new role of the current user must also have promote_users caps // The new role of the current user must also have promote_users caps
if ( $id == $current_user->ID && !$wp_roles->role_objects[$_REQUEST['new_role']]->has_cap('promote_users') ) { if ( $id == $current_user->ID && ! current_user_can('promote_users') ) {
$update = 'err_admin_role'; $update = 'err_admin_role';
continue; continue;
} }
@ -78,8 +78,7 @@ case 'promote':
$user->set_role($_REQUEST['new_role']); $user->set_role($_REQUEST['new_role']);
} }
wp_redirect(add_query_arg('update', $update, $redirect)); $redirect = add_query_arg( 'update', $update, $redirect );
exit();
break; break;
@ -89,10 +88,8 @@ case 'dodelete':
check_admin_referer('delete-users'); check_admin_referer('delete-users');
if ( empty($_REQUEST['users']) ) { if ( empty($_REQUEST['users']) )
wp_redirect($redirect); break;
exit();
}
if ( ! current_user_can( 'delete_users' ) ) if ( ! current_user_can( 'delete_users' ) )
wp_die(__('You can’t delete users.')); wp_die(__('You can’t delete users.'));
@ -125,8 +122,6 @@ case 'dodelete':
} }
$redirect = add_query_arg( array('delete_count' => $delete_count, 'update' => $update), $redirect); $redirect = add_query_arg( array('delete_count' => $delete_count, 'update' => $update), $redirect);
wp_redirect($redirect);
exit();
break; break;
@ -136,10 +131,8 @@ case 'delete':
check_admin_referer('bulk-users'); check_admin_referer('bulk-users');
if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) ) { if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) )
wp_redirect($redirect); break;
exit();
}
if ( ! current_user_can( 'delete_users' ) ) if ( ! current_user_can( 'delete_users' ) )
$errors = new WP_Error( 'edit_users', __( 'You can’t delete users.' ) ); $errors = new WP_Error( 'edit_users', __( 'You can’t delete users.' ) );
@ -149,6 +142,8 @@ case 'delete':
else else
$userids = $_REQUEST['users']; $userids = $_REQUEST['users'];
$redirect = false;
include ('admin-header.php'); include ('admin-header.php');
?> ?>
<form action="" method="post" name="updateusers" id="updateusers"> <form action="" method="post" name="updateusers" id="updateusers">
@ -191,16 +186,15 @@ case 'delete':
</div> </div>
</form> </form>
<?php <?php
include('./admin-footer.php');
break; break;
case 'doremove': case 'doremove':
check_admin_referer('remove-users'); check_admin_referer('remove-users');
if ( empty($_REQUEST['users']) ) { if ( empty($_REQUEST['users']) )
wp_redirect($redirect); break;
exit;
}
if ( !current_user_can('remove_users') ) if ( !current_user_can('remove_users') )
die(__('You can&#8217;t remove users.')); die(__('You can&#8217;t remove users.'));
@ -222,8 +216,6 @@ case 'doremove':
} }
$redirect = add_query_arg( array('update' => $update), $redirect); $redirect = add_query_arg( array('update' => $update), $redirect);
wp_redirect($redirect);
exit;
break; break;
@ -231,10 +223,8 @@ case 'remove':
check_admin_referer('bulk-users'); check_admin_referer('bulk-users');
if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) ) { if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) )
wp_redirect($redirect); break;
exit();
}
if ( !current_user_can('remove_users') ) if ( !current_user_can('remove_users') )
$error = new WP_Error('edit_users', __('You can&#8217;t remove users.')); $error = new WP_Error('edit_users', __('You can&#8217;t remove users.'));
@ -244,6 +234,8 @@ case 'remove':
else else
$userids = $_REQUEST['users']; $userids = $_REQUEST['users'];
$redirect = false;
include ('admin-header.php'); include ('admin-header.php');
?> ?>
<form action="" method="post" name="updateusers" id="updateusers"> <form action="" method="post" name="updateusers" id="updateusers">
@ -279,12 +271,20 @@ case 'remove':
</div> </div>
</form> </form>
<?php <?php
include('./admin-footer.php');
break; break;
default: default:
if ( !empty($_GET['_wp_http_referer']) ) { } // end of the $doaction switch
if ( $redirect )
wp_redirect( $redirect );
exit();
} // end of the $doaction if
elseif ( !empty($_GET['_wp_http_referer']) ) {
wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI']))); wp_redirect(remove_query_arg(array('_wp_http_referer', '_wpnonce'), stripslashes($_SERVER['REQUEST_URI'])));
exit; exit;
} }
@ -378,8 +378,5 @@ if ( is_multisite() ) {
<br class="clear" /> <br class="clear" />
</div> </div>
<?php <?php
break;
} // end of the $doaction switch
include('./admin-footer.php'); include('./admin-footer.php');