- don't pass user id to list_users check

- only link the username if the edit_user cap check passes

see #13074


git-svn-id: https://develop.svn.wordpress.org/trunk@14191 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Joseph Scott 2010-04-22 22:53:44 +00:00
parent 3f2ee78320
commit c97705cd49
1 changed files with 7 additions and 2 deletions

View File

@ -1812,7 +1812,7 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
$short_url = substr( $short_url, 0, 32 ).'...'; $short_url = substr( $short_url, 0, 32 ).'...';
$checkbox = ''; $checkbox = '';
// Check if the user for this row is editable // Check if the user for this row is editable
if ( current_user_can( 'list_users', $user_object->ID ) ) { if ( current_user_can( 'list_users' ) ) {
// Set up the user editing link // Set up the user editing link
// TODO: make profile/user-edit determination a separate function // TODO: make profile/user-edit determination a separate function
if ($current_user->ID == $user_object->ID) { if ($current_user->ID == $user_object->ID) {
@ -1825,8 +1825,13 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
// Set up the hover actions for this user // Set up the hover actions for this user
$actions = array(); $actions = array();
if ( current_user_can('edit_user', $user_object->ID) ) if ( current_user_can('edit_user', $user_object->ID) ) {
$edit = "<strong><a href=\"$edit_link\">$user_object->user_login</a></strong><br />";
$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>'; $actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
} else {
$edit = "<strong>$user_object->user_login</strong><br />";
}
if ( !is_multisite() && $current_user->ID != $user_object->ID && current_user_can('delete_user', $user_object->ID) ) if ( !is_multisite() && $current_user->ID != $user_object->ID && current_user_can('delete_user', $user_object->ID) )
$actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("users.php?action=delete&amp;user=$user_object->ID", 'bulk-users') . "'>" . __('Delete') . "</a>"; $actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("users.php?action=delete&amp;user=$user_object->ID", 'bulk-users') . "'>" . __('Delete') . "</a>";
if ( is_multisite() && $current_user->ID != $user_object->ID && current_user_can('remove_user', $user_object->ID) ) if ( is_multisite() && $current_user->ID != $user_object->ID && current_user_can('remove_user', $user_object->ID) )