WordPress.org
Get WordPress

Make WordPress Core

Ticket #1825: admin-functions.php.patch

File admin-functions.php.patch, 701 bytes (added by ringmaster, 20 years ago)

Apply this after davidhouse's patch to prevent a edit_users user from demoting himself.

  • admin-functions.php

     
    256256}
    257257
    258258function edit_user($user_id = 0) {
     259        global $current_user, $wp_roles;
    259260
    260261        if ($user_id != 0) {
    261262                $update = true;
     
    276277        if (isset ($_POST['pass2']))
    277278                $pass2 = $_POST['pass2'];
    278279
     280        if (isset ($_POST['role'])) {
     281                if($user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap('edit_users'))
     282                        $user->role = $_POST['role'];
     283        }
    279284        if (isset ($_POST['email']))
    280285                $user->user_email = wp_specialchars(trim($_POST['email']));
    281286        if (isset ($_POST['url'])) {