sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Multisite: Handle capability check for removing oneself via map_meta_cap().

Browse Source 
Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from `wp-admin/users.php` to `remove_user_from_blog()` via the `remove_user` capability, which furthermore allows us to get rid of two additional clauses and their `is_super_admin()` checks in `wp-admin/users.php`. A unit test for the new behavior has been added.

Fixes #39063. See #37616.


git-svn-id: https://develop.svn.wordpress.org/trunk@39588 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Felix Arntz 2016-12-12 21:41:44 +00:00
parent 87e6390895
commit 539b85406d
3 changed files with 24 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/wp-admin/users.php
View File

@ -321,10 +321,6 @@ case 'doremove':
$update = 'remove'; $update = 'remove';
foreach ( $userids as $id ) { foreach ( $userids as $id ) {
$id = (int) $id; $id = (int) $id;
if ( $id == $current_user->ID && !is_super_admin() ) {
$update = 'err_admin_remove';
continue;
}
if ( !current_user_can('remove_user', $id) ) { if ( !current_user_can('remove_user', $id) ) {
$update = 'err_admin_remove'; $update = 'err_admin_remove';
continue; continue;
@ -377,10 +373,7 @@ case 'remove':
foreach ( $userids as $id ) { foreach ( $userids as $id ) {
$id = (int) $id; $id = (int) $id;
$user = get_userdata( $id ); $user = get_userdata( $id );
if ( $id == $current_user->ID && !is_super_admin() ) { if ( ! current_user_can( 'remove_user', $id ) ) {
/* translators: 1: user id, 2: user login */
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>The current user will not be removed.</strong>'), $id, $user->user_login) . "</li>\n";
} elseif ( !current_user_can('remove_user', $id) ) {
/* translators: 1: user id, 2: user login */ /* translators: 1: user id, 2: user login */
echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n"; echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n";
} else { } else {

5
src/wp-includes/capabilities.php
View File

@ -32,7 +32,12 @@ function map_meta_cap( $cap, $user_id ) {
switch ( $cap ) { switch ( $cap ) {
case 'remove_user': case 'remove_user':
// In multisite the user must be a super admin to remove themselves.
if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) {
$caps[] = 'do_not_allow';
} else {
$caps[] = 'remove_users'; $caps[] = 'remove_users';
}
break; break;
case 'promote_user': case 'promote_user':
case 'add_users': case 'add_users':

17
tests/phpunit/tests/user/capabilities.php
View File

@ -1757,4 +1757,21 @@ class Tests_User_Capabilities extends WP_UnitTestCase {
wp_set_current_user( self::$users['editor']->ID ); wp_set_current_user( self::$users['editor']->ID );
$this->assertFalse( current_user_can( 'add_user_meta', self::$users['subscriber']->ID, 'foo' ) ); $this->assertFalse( current_user_can( 'add_user_meta', self::$users['subscriber']->ID, 'foo' ) );
} }
/**
* @ticket 39063
*/
public function test_only_super_admins_can_remove_themselves_on_multisite() {
if ( ! is_multisite() ) {
$this->markTestSkipped( 'Test only runs in multisite.' );
}
$this->assertTrue( user_can( self::$super_admin->ID, 'remove_user', self::$super_admin->ID ) );
$this->assertFalse( user_can( self::$users['administrator']->ID, 'remove_user', self::$users['administrator']->ID ) );
$this->assertFalse( user_can( self::$users['editor']->ID, 'remove_user', self::$users['editor']->ID ) );
$this->assertFalse( user_can( self::$users['author']->ID, 'remove_user', self::$users['author']->ID ) );
$this->assertFalse( user_can( self::$users['contributor']->ID, 'remove_user', self::$users['contributor']->ID ) );
$this->assertFalse( user_can( self::$users['subscriber']->ID, 'remove_user', self::$users['subscriber']->ID ) );
}
} }