From 5ad0a446d383ae3e87bcc18a1c3f6741fbf01770 Mon Sep 17 00:00:00 2001 From: Peter Westwood Date: Fri, 24 Dec 2010 22:37:51 +0000 Subject: [PATCH] Nonce checks for site-users. See #15969 props PeteMall. git-svn-id: https://develop.svn.wordpress.org/trunk@17136 602fd350-edb4-49c9-b593-d223f7449a82 --- wp-admin/network/site-users.php | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/wp-admin/network/site-users.php b/wp-admin/network/site-users.php index 6607bf1f55..a261424db2 100644 --- a/wp-admin/network/site-users.php +++ b/wp-admin/network/site-users.php @@ -62,6 +62,7 @@ if ( $action ) { switch ( $action ) { case 'newuser': + check_admin_referer( 'add-user', '_wpnonce_add-new-user' ); $user = $_POST['user']; if ( !is_array( $_POST['user'] ) || empty( $user['username'] ) || empty( $user['email'] ) ) { $update = 'err_new'; @@ -80,6 +81,7 @@ if ( $action ) { break; case 'adduser': + check_admin_referer( 'add-user', '_wpnonce_add-user' ); if ( !empty( $_POST['newuser'] ) ) { $update = 'adduser'; $newuser = $_POST['newuser']; @@ -101,7 +103,8 @@ if ( $action ) { case 'remove': if ( !current_user_can('remove_users') ) die(__('You can’t remove users.')); - + check_admin_referer( 'bulk-users' ); + $update = 'remove'; if ( isset( $_REQUEST['users'] ) ) { $userids = $_REQUEST['users']; @@ -118,6 +121,7 @@ if ( $action ) { break; case 'promote': + check_admin_referer( 'bulk-users' ); $editable_roles = get_editable_roles(); if ( empty( $editable_roles[$_REQUEST['new_role']] ) ) wp_die(__('You can’t give users that role.')); @@ -258,6 +262,7 @@ endif; ?> + @@ -293,7 +298,7 @@ endif; ?> - +