From bb7f147703d608266f37a11f31bacb5308b28140 Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Thu, 9 Jul 2015 16:15:30 +0000 Subject: [PATCH] Do not allow deletion of a super admin user through `wpmu_delete_user()`. In step with the UI provided by `wp-admin/network/users.php`, super admin privileges must be removed before a user can be deleted through the API. Props @johnjamesjacoby, @jeremyfelt. Fixes #32935. git-svn-id: https://develop.svn.wordpress.org/trunk@33143 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/ms.php | 7 ++++ tests/phpunit/tests/user/multisite.php | 52 ++++++++++++++++++++++++++ 2 files changed, 59 insertions(+) diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php index 66fa2a060e..8c6aa48bba 100644 --- a/src/wp-admin/includes/ms.php +++ b/src/wp-admin/includes/ms.php @@ -190,6 +190,13 @@ function wpmu_delete_user( $id ) { if ( !$user->exists() ) return false; + + // Global super-administrators are protected, and cannot be deleted. + $_super_admins = get_super_admins(); + if ( in_array( $user->user_login, $_super_admins, true ) ) { + return false; + } + /** * Fires before a user is deleted from the network. * diff --git a/tests/phpunit/tests/user/multisite.php b/tests/phpunit/tests/user/multisite.php index 22a68358b2..41b0e88666 100644 --- a/tests/phpunit/tests/user/multisite.php +++ b/tests/phpunit/tests/user/multisite.php @@ -229,6 +229,58 @@ class Tests_Multisite_User extends WP_UnitTestCase { $this->assertQueryTrue( 'is_author', 'is_archive' ); } + function test_revoked_super_admin_can_be_deleted() { + if ( isset( $GLOBALS['super_admins'] ) ) { + $old_global = $GLOBALS['super_admins']; + unset( $GLOBALS['super_admins'] ); + } + + $user_id = $this->factory->user->create(); + grant_super_admin( $user_id ); + revoke_super_admin( $user_id ); + + $this->assertTrue( wpmu_delete_user( $user_id ) ); + + if ( isset( $old_global ) ) { + $GLOBALS['super_admins'] = $old_global; + } + } + + function test_revoked_super_admin_is_deleted() { + if ( isset( $GLOBALS['super_admins'] ) ) { + $old_global = $GLOBALS['super_admins']; + unset( $GLOBALS['super_admins'] ); + } + + $user_id = $this->factory->user->create(); + grant_super_admin( $user_id ); + revoke_super_admin( $user_id ); + wpmu_delete_user( $user_id ); + $user = new WP_User( $user_id ); + + $this->assertFalse( $user->exists(), 'WP_User->exists' ); + + if ( isset( $old_global ) ) { + $GLOBALS['super_admins'] = $old_global; + } + } + + function test_super_admin_cannot_be_deleted() { + if ( isset( $GLOBALS['super_admins'] ) ) { + $old_global = $GLOBALS['super_admins']; + unset( $GLOBALS['super_admins'] ); + } + + $user_id = $this->factory->user->create(); + grant_super_admin( $user_id ); + + $this->assertFalse( wpmu_delete_user( $user_id ) ); + + if ( isset( $old_global ) ) { + $GLOBALS['super_admins'] = $old_global; + } + } + /** * @ticket 27205 */