From ffababf000c183cb472465237be0a075706de6ce Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Wed, 27 Jun 2012 19:27:54 +0000
Subject: [PATCH] Remove 'fall through' points in map_meta_cap() as they can
 hide bugs.

git-svn-id: https://develop.svn.wordpress.org/trunk@21152 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/capabilities.php | 48 ++++++++++++++++++++----------------
 1 file changed, 27 insertions(+), 21 deletions(-)

diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php
index d77cfea8e8..4a400a79ad 100644
--- a/wp-includes/capabilities.php
+++ b/wp-includes/capabilities.php
@@ -947,16 +947,16 @@ function map_meta_cap( $cap, $user_id ) {
 		$caps[] = 'promote_users';
 		break;
 	case 'edit_user':
-		// Allow user to edit itself
-		if ( isset( $args[0] ) && $user_id == $args[0] )
-			break;
-		// Fall through
 	case 'edit_users':
+		// Allow user to edit itself
+		if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] )
+			break;
+
 		// If multisite these caps are allowed only for super admins.
 		if ( is_multisite() && !is_super_admin( $user_id ) )
 			$caps[] = 'do_not_allow';
 		else
-			$caps[] = 'edit_users'; // Explicit due to primitive fall through
+			$caps[] = 'edit_users'; // edit_user maps to edit_users.
 		break;
 	case 'delete_post':
 	case 'delete_page':
@@ -1130,17 +1130,24 @@ function map_meta_cap( $cap, $user_id ) {
 		// Disallow unfiltered_html for all users, even admins and super admins.
 		if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML )
 			$caps[] = 'do_not_allow';
+		elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+			$caps[] = 'do_not_allow';
 		else
 			$caps[] = $cap;
 		break;
 	case 'edit_files':
 	case 'edit_plugins':
 	case 'edit_themes':
-		if ( defined('DISALLOW_FILE_EDIT') && DISALLOW_FILE_EDIT ) {
+		// Disallow the file editors.
+		if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT )
 			$caps[] = 'do_not_allow';
-			break;
-		}
-		// Fall through if not DISALLOW_FILE_EDIT.
+		elseif ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
+			$caps[] = 'do_not_allow';
+		elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+			$caps[] = 'do_not_allow';
+		else
+			$caps[] = $cap;
+		break;
 	case 'update_plugins':
 	case 'delete_plugins':
 	case 'install_plugins':
@@ -1148,23 +1155,22 @@ function map_meta_cap( $cap, $user_id ) {
 	case 'delete_themes':
 	case 'install_themes':
 	case 'update_core':
-		// Disallow anything that creates, deletes, or edits core, plugin, or theme files.
+		// Disallow anything that creates, deletes, or updates core, plugin, or theme files.
 		// Files in uploads are excepted.
-		if ( defined('DISALLOW_FILE_MODS') && DISALLOW_FILE_MODS ) {
+		if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
 			$caps[] = 'do_not_allow';
-			break;
-		}
-		// Fall through if not DISALLOW_FILE_MODS.
+		elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+			$caps[] = 'do_not_allow';
+		else
+			$caps[] = $cap;
+		break;
 	case 'delete_user':
 	case 'delete_users':
-		// If multisite these caps are allowed only for super admins.
-		if ( is_multisite() && !is_super_admin( $user_id ) ) {
+		// If multisite only super admins can delete users.
+		if ( is_multisite() && ! is_super_admin( $user_id ) )
 			$caps[] = 'do_not_allow';
-		} else {
-			if ( 'delete_user' == $cap )
-				$cap = 'delete_users';
-			$caps[] = $cap;
-		}
+		else
+			$caps[] = 'delete_users'; // delete_user maps to delete_users.
 		break;
 	case 'create_users':
 		if ( !is_multisite() )