From 45b183ea79af16a4f21e907de7f7d71deb3ff077 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Sun, 7 May 2017 17:41:24 +0000 Subject: [PATCH] Users: Correct a permission check when showing the User item in the `+ New` admin toolbar menu. Props dlh Fixes #39252 git-svn-id: https://develop.svn.wordpress.org/trunk@40581 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/admin-bar.php | 3 +- tests/phpunit/tests/adminbar.php | 92 ++++++++++++++++++++++++++++++++ 2 files changed, 94 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/admin-bar.php b/src/wp-includes/admin-bar.php index 98a052379c..27266a108c 100644 --- a/src/wp-includes/admin-bar.php +++ b/src/wp-includes/admin-bar.php @@ -718,8 +718,9 @@ function wp_admin_bar_new_content_menu( $wp_admin_bar ) { if ( isset( $actions['post-new.php?post_type=content'] ) ) $actions['post-new.php?post_type=content'][1] = 'add-new-content'; - if ( current_user_can( 'create_users' ) || current_user_can( 'promote_users' ) ) + if ( current_user_can( 'create_users' ) || ( is_multisite() && current_user_can( 'promote_users' ) ) ) { $actions[ 'user-new.php' ] = array( _x( 'User', 'add new from admin bar' ), 'new-user' ); + } if ( ! $actions ) return; diff --git a/tests/phpunit/tests/adminbar.php b/tests/phpunit/tests/adminbar.php index b6ec315df3..bed0e6096b 100644 --- a/tests/phpunit/tests/adminbar.php +++ b/tests/phpunit/tests/adminbar.php @@ -530,6 +530,98 @@ class Tests_AdminBar extends WP_UnitTestCase { $this->assertNull( $node ); } + public function map_meta_cap_grant_create_users( $caps, $cap ) { + if ( 'create_users' === $cap ) { + $caps = array( 'exist' ); + } + + return $caps; + } + + public function map_meta_cap_deny_create_users( $caps, $cap ) { + if ( 'create_users' === $cap ) { + $caps = array( 'do_not_allow' ); + } + + return $caps; + } + + public function map_meta_cap_grant_promote_users( $caps, $cap ) { + if ( 'promote_users' === $cap ) { + $caps = array( 'exist' ); + } + + return $caps; + } + + public function map_meta_cap_deny_promote_users( $caps, $cap ) { + if ( 'promote_users' === $cap ) { + $caps = array( 'do_not_allow' ); + } + + return $caps; + } + + /** + * @ticket 39252 + */ + public function test_new_user_link_exists_for_user_with_create_users() { + wp_set_current_user( self::$admin_id ); + + add_filter( 'map_meta_cap', array( $this, 'map_meta_cap_grant_create_users' ), 10, 2 ); + add_filter( 'map_meta_cap', array( $this, 'map_meta_cap_deny_promote_users' ), 10, 2 ); + + $this->assertTrue( current_user_can( 'create_users' ) ); + $this->assertFalse( current_user_can( 'promote_users' ) ); + + $wp_admin_bar = $this->get_standard_admin_bar(); + $node = $wp_admin_bar->get_node( 'new-user' ); + + // 'create_users' is sufficient in single- and multisite. + $this->assertNotEmpty( $node ); + } + + /** + * @ticket 39252 + */ + public function test_new_user_link_existence_for_user_with_promote_users() { + wp_set_current_user( self::$admin_id ); + + add_filter( 'map_meta_cap', array( $this, 'map_meta_cap_deny_create_users' ), 10, 2 ); + add_filter( 'map_meta_cap', array( $this, 'map_meta_cap_grant_promote_users' ), 10, 2 ); + + $this->assertFalse( current_user_can( 'create_users' ) ); + $this->assertTrue( current_user_can( 'promote_users' ) ); + + $wp_admin_bar = $this->get_standard_admin_bar(); + $node = $wp_admin_bar->get_node( 'new-user' ); + + if ( is_multisite() ) { + $this->assertNotEmpty( $node ); + } else { + // 'promote_users' is insufficient in single-site. + $this->assertNull( $node ); + } + } + + /** + * @ticket 39252 + */ + public function test_new_user_link_does_not_exist_for_user_without_create_or_promote_users() { + wp_set_current_user( self::$admin_id ); + + add_filter( 'map_meta_cap', array( $this, 'map_meta_cap_deny_create_users' ), 10, 2 ); + add_filter( 'map_meta_cap', array( $this, 'map_meta_cap_deny_promote_users' ), 10, 2 ); + + $this->assertFalse( current_user_can( 'create_users' ) ); + $this->assertFalse( current_user_can( 'promote_users' ) ); + + $wp_admin_bar = $this->get_standard_admin_bar(); + $node = $wp_admin_bar->get_node( 'new-user' ); + + $this->assertNull( $node ); + } + /** * @ticket 30937 * @covers ::wp_admin_bar_customize_menu