From 1abf42b45e6cef9d032d79c603c2830381e6b3c3 Mon Sep 17 00:00:00 2001
From: Felix Arntz <flixos90@git.wordpress.org>
Date: Mon, 10 Apr 2017 21:10:48 +0000
Subject: [PATCH] Multisite: Introduce an `upgrade_network` capability.

Prior to this change, a mix of `is_super_admin()` calls and `manage_network` capability checks was used to determine whether the current user could upgrade the network. With this changeset a dedicated capability is introduced that allows more granular handling.

Props dhanendran for the original patch.
Fixes #39205. See #37616.


git-svn-id: https://develop.svn.wordpress.org/trunk@40404 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/includes/ms.php              | 2 +-
 src/wp-admin/network/menu.php             | 2 +-
 src/wp-admin/network/upgrade.php          | 3 ++-
 src/wp-includes/capabilities.php          | 1 +
 tests/phpunit/tests/user/capabilities.php | 2 ++
 5 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php
index 6a4ca9d380..939d0d08b7 100644
--- a/src/wp-admin/includes/ms.php
+++ b/src/wp-admin/includes/ms.php
@@ -785,7 +785,7 @@ function mu_dropdown_languages( $lang_files = array(), $current = '' ) {
 function site_admin_notice() {
 	global $wp_db_version, $pagenow;
 
-	if ( ! is_super_admin() ) {
+	if ( ! current_user_can( 'upgrade_network' ) ) {
 		return false;
 	}
 
diff --git a/src/wp-admin/network/menu.php b/src/wp-admin/network/menu.php
index 41281e7d56..e4cc786cc7 100644
--- a/src/wp-admin/network/menu.php
+++ b/src/wp-admin/network/menu.php
@@ -19,7 +19,7 @@ if ( $update_data['counts']['total'] ) {
 	$submenu['index.php'][10] = array( __( 'Updates' ), 'update_core', 'update-core.php' );
 }
 
-$submenu['index.php'][15] = array( __( 'Upgrade Network' ), 'manage_network', 'upgrade.php' );
+$submenu['index.php'][15] = array( __( 'Upgrade Network' ), 'upgrade_network', 'upgrade.php' );
 
 $menu[4] = array( '', 'read', 'separator1', '', 'wp-menu-separator' );
 
diff --git a/src/wp-admin/network/upgrade.php b/src/wp-admin/network/upgrade.php
index 5c2d3f990f..46c6a94429 100644
--- a/src/wp-admin/network/upgrade.php
+++ b/src/wp-admin/network/upgrade.php
@@ -32,8 +32,9 @@ get_current_screen()->set_help_sidebar(
 
 require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
-if ( ! current_user_can( 'manage_network' ) )
+if ( ! current_user_can( 'upgrade_network' ) ) {
 	wp_die( __( 'Sorry, you are not allowed to access this page.' ), 403 );
+}
 
 echo '<div class="wrap">';
 echo '<h1>' . __( 'Upgrade Network' ) . '</h1>';
diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
index 0e766b16e8..abd872575e 100644
--- a/src/wp-includes/capabilities.php
+++ b/src/wp-includes/capabilities.php
@@ -478,6 +478,7 @@ function map_meta_cap( $cap, $user_id ) {
 	case 'manage_network_plugins':
 	case 'manage_network_themes':
 	case 'manage_network_options':
+	case 'upgrade_network':
 		$caps[] = $cap;
 		break;
 	case 'setup_network':
diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php
index 88de40642e..a47901136c 100644
--- a/tests/phpunit/tests/user/capabilities.php
+++ b/tests/phpunit/tests/user/capabilities.php
@@ -226,6 +226,7 @@ class Tests_User_Capabilities extends WP_UnitTestCase {
 			'manage_network_themes'  => array(),
 			'manage_network_options' => array(),
 			'delete_site'            => array(),
+			'upgrade_network'        => array(),
 
 			'setup_network'          => array( 'administrator' ),
 			'upload_plugins'         => array( 'administrator' ),
@@ -259,6 +260,7 @@ class Tests_User_Capabilities extends WP_UnitTestCase {
 			'upload_plugins'         => array(),
 			'upload_themes'          => array(),
 			'edit_css'               => array(),
+			'upgrade_network'        => array(),
 
 			'customize'              => array( 'administrator' ),
 			'delete_site'            => array( 'administrator' ),