sergiotarxz
/
Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Capabilities: Prevent users having the `do_not_allow` capability. 

Meta capabilities use the capability `do_not_allow` to indicate a user should be blocked from performing a particular action. This ensures users can not have the capability as it would cause unexpected behaviour.

Props johnbillion.
Fixes #41059.



git-svn-id: https://develop.svn.wordpress.org/trunk@40993 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Peter Wilson 2017-07-02 05:15:42 +00:00
parent bf850da3ec
commit 3a4ffa09ab
2 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/wp-includes/class-wp-user.php
View File

@ -748,6 +748,9 @@ class WP_User {
// Everyone is allowed to exist.
$capabilities['exist'] = true;
// Nobody is allowed to do things they are not allowed to do.
unset( $capabilities['do_not_allow'] );
// Must have ALL requested caps.
foreach ( (array) $caps as $cap ) {
if ( empty( $capabilities[ $cap ] ) )

51
tests/phpunit/tests/user/capabilities.php
View File

@ -494,6 +494,57 @@ class Tests_User_Capabilities extends WP_UnitTestCase {
$this->assertTrue( user_can( $user, 'exist' ), "User with the {$role} role should have the exist capability" );
}
/**
* @ticket 41059
*/
public function test_do_not_allow_is_denied_for_all_roles() {
foreach ( self::$users as $role => $user ) {
# Test adding the cap directly to the user
$user->add_cap( 'do_not_allow' );
$has_cap = $user->has_cap( 'do_not_allow' );
$user->remove_cap( 'do_not_allow' );
$this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
# Test adding the cap to the user's role
$role_obj = get_role( $role );
$role_obj->add_cap( 'do_not_allow' );
$has_cap = $user->has_cap( 'do_not_allow' );
$role_obj->remove_cap( 'do_not_allow' );
$this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
# Test adding the cap via a filter
add_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
$has_cap = $user->has_cap( 'do_not_allow' );
remove_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
$this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
}
}
/**
* @group ms-required
* @ticket 41059
*/
public function test_do_not_allow_is_denied_for_super_admins() {
# Test adding the cap directly to the user
self::$super_admin->add_cap( 'do_not_allow' );
$has_cap = self::$super_admin->has_cap( 'do_not_allow' );
self::$super_admin->remove_cap( 'do_not_allow' );
$this->assertFalse( $has_cap, 'Super admins should not have the do_not_allow capability' );
# Test adding the cap via a filter
add_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
$has_cap = self::$super_admin->has_cap( 'do_not_allow' );
remove_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
$this->assertFalse( $has_cap, 'Super admins should not have the do_not_allow capability' );
}
public function grant_do_not_allow( $allcaps, $caps, $args, $user ) {
$allcaps['do_not_allow'] = true;
return $allcaps;
}
// special case for the link manager
function test_link_manager_caps() {
$caps = array(