From ef1f6975641b91ad2001784a4f3235ca76c318f7 Mon Sep 17 00:00:00 2001 From: Jeremy Felt Date: Thu, 10 Sep 2015 03:33:22 +0000 Subject: [PATCH] Multisite: Allow users with `manage_network_users` to edit network users. Other users in a network can now be given capabilities to manage users without also having global super admin privileges. * Users with `manage_network_users` can not edit super admins. * Users with `manage_network_users` can not promote users to super admin. * Uses of `is_super_admin()` in `user-new.php` are now updated to `manage_network_users`. Props daniellandau, chriscct7. Fixes #16860. git-svn-id: https://develop.svn.wordpress.org/trunk@33988 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/user-new.php | 10 +++---- src/wp-includes/capabilities-functions.php | 7 ++--- tests/phpunit/tests/user/capabilities.php | 31 ++++++++++++++++++++++ 3 files changed, 40 insertions(+), 8 deletions(-) diff --git a/src/wp-admin/user-new.php b/src/wp-admin/user-new.php index 2f6c5bf981..2228fc7354 100644 --- a/src/wp-admin/user-new.php +++ b/src/wp-admin/user-new.php @@ -84,7 +84,7 @@ if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) { if ( ( $username != null && !is_super_admin( $user_id ) ) && ( array_key_exists($blog_id, get_blogs_of_user($user_id)) ) ) { $redirect = add_query_arg( array('update' => 'addexisting'), 'user-new.php' ); } else { - if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { + if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) { add_existing_user_to_blog( array( 'user_id' => $user_id, 'role' => $_REQUEST[ 'role' ] ) ); $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' ); } else { @@ -158,12 +158,12 @@ Please click the following link to confirm the invite: * @param string $user_login The sanitized username. */ $new_user_login = apply_filters( 'pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) ); - if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { + if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) { add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email } wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST['role'] ) ); - if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { + if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) { $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) ); wpmu_activate_signup( $key ); $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' ); @@ -339,7 +339,7 @@ if ( is_multisite() ) { - + @@ -476,7 +476,7 @@ if ( apply_filters( 'show_password_fields', true ) ) : ?> - + diff --git a/src/wp-includes/capabilities-functions.php b/src/wp-includes/capabilities-functions.php index 316b850e7b..3742c18c40 100644 --- a/src/wp-includes/capabilities-functions.php +++ b/src/wp-includes/capabilities-functions.php @@ -37,11 +37,12 @@ function map_meta_cap( $cap, $user_id ) { if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] ) break; - // If multisite these caps are allowed only for super admins. - if ( is_multisite() && !is_super_admin( $user_id ) ) + // In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin. + if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) { $caps[] = 'do_not_allow'; - else + } else { $caps[] = 'edit_users'; // edit_user maps to edit_users. + } break; case 'delete_post': case 'delete_page': diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php index 4fc7ecd32b..78820d2f9d 100644 --- a/tests/phpunit/tests/user/capabilities.php +++ b/tests/phpunit/tests/user/capabilities.php @@ -963,4 +963,35 @@ class Tests_User_Capabilities extends WP_UnitTestCase { $this->assertTrue( current_user_can( 'edit_user', $user->ID ) ); } + + function test_multisite_administrator_with_manage_network_users_can_edit_users() { + if ( ! is_multisite() ) { + $this->markTestSkipped( 'Test only runs in multisite' ); + return; + } + + $user = new WP_User( $this->factory->user->create( array( 'role' => 'administrator' ) ) ); + $user->add_cap( 'manage_network_users' ); + $other_user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) ); + + wp_set_current_user( $user->ID ); + + $this->assertTrue( current_user_can( 'edit_user', $other_user->ID ) ); + } + + function test_multisite_administrator_with_manage_network_users_can_not_edit_super_admin() { + if ( ! is_multisite() ) { + $this->markTestSkipped( 'Test only runs in multisite' ); + return; + } + + $user = new WP_User( $this->factory->user->create( array( 'role' => 'administrator' ) ) ); + $user->add_cap( 'manage_network_users' ); + $super_admin = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) ); + grant_super_admin( $super_admin->ID ); + + wp_set_current_user( $user->ID ); + + $this->assertFalse( current_user_can( 'edit_user', $super_admin->ID ) ); + } }