sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Multisite: Allow users with manage_network_users to edit network users.

Browse Source 
Other users in a network can now be given capabilities to manage users without also having global super admin privileges.

* Users with `manage_network_users` can not edit super admins.
* Users with `manage_network_users` can not promote users to super admin.
* Uses of `is_super_admin()` in `user-new.php` are now updated to `manage_network_users`.

Props daniellandau, chriscct7.
Fixes #16860.


git-svn-id: https://develop.svn.wordpress.org/trunk@33988 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jeremy Felt 2015-09-10 03:33:22 +00:00
parent c89822ebe0
commit ef1f697564
3 changed files with 40 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/wp-admin/user-new.php
View File

@ -84,7 +84,7 @@ if ( isset($_REQUEST['action']) && 'adduser' == $_REQUEST['action'] ) {
if ( ( $username != null && !is_super_admin( $user_id ) ) && ( array_key_exists($blog_id, get_blogs_of_user($user_id)) ) ) { if ( ( $username != null && !is_super_admin( $user_id ) ) && ( array_key_exists($blog_id, get_blogs_of_user($user_id)) ) ) {
$redirect = add_query_arg( array('update' => 'addexisting'), 'user-new.php' ); $redirect = add_query_arg( array('update' => 'addexisting'), 'user-new.php' );
} else { } else {
if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
add_existing_user_to_blog( array( 'user_id' => $user_id, 'role' => $_REQUEST[ 'role' ] ) ); add_existing_user_to_blog( array( 'user_id' => $user_id, 'role' => $_REQUEST[ 'role' ] ) );
$redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' ); $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
} else { } else {
@ -158,12 +158,12 @@ Please click the following link to confirm the invite:
* @param string $user_login The sanitized username. * @param string $user_login The sanitized username.
*/ */
$new_user_login = apply_filters( 'pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) ); $new_user_login = apply_filters( 'pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) );
if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email
} }
wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST['role'] ) ); wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST['role'] ) );
if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) { if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
$key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) ); $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
wpmu_activate_signup( $key ); wpmu_activate_signup( $key );
$redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' ); $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
@ -339,7 +339,7 @@ if ( is_multisite() ) {
</select> </select>
</td> </td>
</tr> </tr>
<?php if ( is_super_admin() ) { ?> <?php if ( current_user_can( 'manage_network_users' ) ) { ?>
<tr> <tr>
<th scope="row"><label for="adduser-noconfirmation"><?php _e('Skip Confirmation Email') ?></label></th> <th scope="row"><label for="adduser-noconfirmation"><?php _e('Skip Confirmation Email') ?></label></th>
<td><label for="adduser-noconfirmation"><input type="checkbox" name="noconfirmation" id="adduser-noconfirmation" value="1" /> <?php _e( 'Add the user without sending an email that requires their confirmation.' ); ?></label></td> <td><label for="adduser-noconfirmation"><input type="checkbox" name="noconfirmation" id="adduser-noconfirmation" value="1" /> <?php _e( 'Add the user without sending an email that requires their confirmation.' ); ?></label></td>
@ -476,7 +476,7 @@ if ( apply_filters( 'show_password_fields', true ) ) : ?>
</select> </select>
</td> </td>
</tr> </tr>
<?php if ( is_multisite() && is_super_admin() ) { ?> <?php if ( is_multisite() && current_user_can( 'manage_network_users' ) ) { ?>
<tr> <tr>
<th scope="row"><label for="noconfirmation"><?php _e('Skip Confirmation Email') ?></label></th> <th scope="row"><label for="noconfirmation"><?php _e('Skip Confirmation Email') ?></label></th>
<td><label for="noconfirmation"><input type="checkbox" name="noconfirmation" id="noconfirmation" value="1" <?php checked( $new_user_ignore_pass ); ?> /> <?php _e( 'Add the user without sending an email that requires their confirmation.' ); ?></label></td> <td><label for="noconfirmation"><input type="checkbox" name="noconfirmation" id="noconfirmation" value="1" <?php checked( $new_user_ignore_pass ); ?> /> <?php _e( 'Add the user without sending an email that requires their confirmation.' ); ?></label></td>

7
src/wp-includes/capabilities-functions.php
View File

@ -37,11 +37,12 @@ function map_meta_cap( $cap, $user_id ) {
if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] ) if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] )
break; break;
// If multisite these caps are allowed only for super admins. // In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin.
if ( is_multisite() && !is_super_admin( $user_id ) ) if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) {
$caps[] = 'do_not_allow'; $caps[] = 'do_not_allow';
else } else {
$caps[] = 'edit_users'; // edit_user maps to edit_users. $caps[] = 'edit_users'; // edit_user maps to edit_users.
}
break; break;
case 'delete_post': case 'delete_post':
case 'delete_page': case 'delete_page':

31
tests/phpunit/tests/user/capabilities.php
View File

@ -963,4 +963,35 @@ class Tests_User_Capabilities extends WP_UnitTestCase {
$this->assertTrue( current_user_can( 'edit_user', $user->ID ) ); $this->assertTrue( current_user_can( 'edit_user', $user->ID ) );
} }
function test_multisite_administrator_with_manage_network_users_can_edit_users() {
if ( ! is_multisite() ) {
$this->markTestSkipped( 'Test only runs in multisite' );
return;
}
$user = new WP_User( $this->factory->user->create( array( 'role' => 'administrator' ) ) );
$user->add_cap( 'manage_network_users' );
$other_user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
wp_set_current_user( $user->ID );
$this->assertTrue( current_user_can( 'edit_user', $other_user->ID ) );
}
function test_multisite_administrator_with_manage_network_users_can_not_edit_super_admin() {
if ( ! is_multisite() ) {
$this->markTestSkipped( 'Test only runs in multisite' );
return;
}
$user = new WP_User( $this->factory->user->create( array( 'role' => 'administrator' ) ) );
$user->add_cap( 'manage_network_users' );
$super_admin = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
grant_super_admin( $super_admin->ID );
wp_set_current_user( $user->ID );
$this->assertFalse( current_user_can( 'edit_user', $super_admin->ID ) );
}
} }