diff --git a/wp-admin/includes/class-wp-users-list-table.php b/wp-admin/includes/class-wp-users-list-table.php index 64cad3302f..9325d9a7f7 100644 --- a/wp-admin/includes/class-wp-users-list-table.php +++ b/wp-admin/includes/class-wp-users-list-table.php @@ -132,6 +132,8 @@ class WP_Users_List_Table extends WP_List_Table { function extra_tablenav( $which ) { if ( 'top' != $which ) return; + if ( ! current_user_can( 'promote_users' ) ) + return; ?>
diff --git a/wp-admin/menu.php b/wp-admin/menu.php index 30d0169cdf..f2eb867e10 100644 --- a/wp-admin/menu.php +++ b/wp-admin/menu.php @@ -191,13 +191,19 @@ else if ( current_user_can('list_users') ) { $_wp_real_parent_file['profile.php'] = 'users.php'; // Back-compat for plugins adding submenus to profile.php. $submenu['users.php'][5] = array(__('Users'), 'list_users', 'users.php'); - $submenu['users.php'][10] = array(_x('Add New', 'user'), 'promote_users', 'user-new.php'); + if ( current_user_can('create_users') ) + $submenu['users.php'][10] = array(_x('Add New', 'user'), 'create_users', 'user-new.php'); + else + $submenu['users.php'][10] = array(_x('Add New', 'user'), 'promote_users', 'user-new.php'); $submenu['users.php'][15] = array(__('Your Profile'), 'read', 'profile.php'); } else { $_wp_real_parent_file['users.php'] = 'profile.php'; $submenu['profile.php'][5] = array(__('Your Profile'), 'read', 'profile.php'); - $submenu['profile.php'][10] = array(__('Add New User'), 'promote_users', 'user-new.php'); + if ( current_user_can('create_users') ) + $submenu['profile.php'][10] = array(__('Add New User'), 'create_users', 'user-new.php'); + else + $submenu['profile.php'][10] = array(__('Add New User'), 'promote_users', 'user-new.php'); } $menu[75] = array( __('Tools'), 'edit_posts', 'tools.php', '', 'menu-top menu-icon-tools', 'menu-tools', 'div' ); diff --git a/wp-admin/user-new.php b/wp-admin/user-new.php index 0d958bc2ca..b9d87256fb 100644 --- a/wp-admin/user-new.php +++ b/wp-admin/user-new.php @@ -9,8 +9,12 @@ /** WordPress Administration Bootstrap */ require_once('./admin.php'); -if ( ! current_user_can('create_users') && ! current_user_can('promote_users') ) - wp_die(__('Cheatin’ uh?')); +if ( is_multisite() ) { + if ( ! current_user_can( 'create_users' ) && ! current_user_can( 'promote_users' ) ) + wp_die( __( 'Cheatin’ uh?' ) ); +} elseif ( ! current_user_can( 'create_users' ) ) { + wp_die( __( 'Cheatin’ uh?' ) ); +} if ( is_multisite() ) { function admin_created_user_email( $text ) { diff --git a/wp-admin/users.php b/wp-admin/users.php index e557d450ac..044c806c89 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -48,6 +48,9 @@ switch ( $wp_list_table->current_action() ) { case 'promote': check_admin_referer('bulk-users'); + if ( ! current_user_can( 'promote_users' ) ) + wp_die( __( 'You can’t edit that user.' ) ); + if ( empty($_REQUEST['users']) ) { wp_redirect($redirect); exit(); @@ -352,7 +355,7 @@ if ( ! empty($messages) ) { echo esc_html( $title ); if ( current_user_can( 'create_users' ) ) { ?> - +