WordPress.org

Make WordPress Core

Ticket #41059: 41059.2.patch

File 41059.2.patch, 3.9 KB (added by peterwilsoncc, 3 years ago)
  • src/wp-includes/class-wp-roles.php

    diff --git src/wp-includes/class-wp-roles.php src/wp-includes/class-wp-roles.php
    index 23e05d7b1b..df87307f06 100644
    class WP_Roles { 
    222222                if ( ! isset( $this->roles[$role] ) )
    223223                        return;
    224224
     225                // Nobody is allowed to do things they are not allowed to do.
     226                if ( 'do_not_allow' === $cap ) {
     227                        return;
     228                }
     229
    225230                $this->roles[$role]['capabilities'][$cap] = $grant;
    226231                if ( $this->use_db )
    227232                        update_option( $this->role_key, $this->roles );
  • src/wp-includes/class-wp-user.php

    diff --git src/wp-includes/class-wp-user.php src/wp-includes/class-wp-user.php
    index 0b0bb1023a..5d8b269627 100644
    class WP_User { 
    655655         * @param bool $grant Whether to grant capability to user.
    656656         */
    657657        public function add_cap( $cap, $grant = true ) {
     658                // Nobody is allowed to do things they are not allowed to do.
     659                if ( 'do_not_allow' === $cap ) {
     660                        return;
     661                }
     662
    658663                $this->caps[$cap] = $grant;
    659664                update_user_meta( $this->ID, $this->cap_key, $this->caps );
    660665                $this->get_role_caps();
    class WP_User { 
    748753                // Everyone is allowed to exist.
    749754                $capabilities['exist'] = true;
    750755
     756                // Nobody is allowed to do things they are not allowed to do.
     757                unset( $capabilities['do_not_allow'] );
     758
    751759                // Must have ALL requested caps.
    752760                foreach ( (array) $caps as $cap ) {
    753761                        if ( empty( $capabilities[ $cap ] ) )
  • tests/phpunit/tests/user/capabilities.php

    diff --git tests/phpunit/tests/user/capabilities.php tests/phpunit/tests/user/capabilities.php
    index 241270495c..2070a64fa4 100644
    class Tests_User_Capabilities extends WP_UnitTestCase { 
    494494                $this->assertTrue( user_can( $user, 'exist' ), "User with the {$role} role should have the exist capability" );
    495495        }
    496496
     497        /**
     498         * @ticket 41059
     499         */
     500        public function test_do_not_allow_is_denied_for_all_roles() {
     501                foreach ( self::$users as $role => $user ) {
     502
     503                        # Test adding the cap directly to the user
     504                        $user->add_cap( 'do_not_allow' );
     505                        $has_cap = $user->has_cap( 'do_not_allow' );
     506                        $user->remove_cap( 'do_not_allow' );
     507                        $this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
     508
     509                        # Test adding the cap to the user's role
     510                        $role_obj = get_role( $role );
     511                        $role_obj->add_cap( 'do_not_allow' );
     512                        $has_cap = $user->has_cap( 'do_not_allow' );
     513                        $role_obj->remove_cap( 'do_not_allow' );
     514                        $this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
     515
     516                        # Test adding the cap via a filter
     517                        add_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     518                        $has_cap = $user->has_cap( 'do_not_allow' );
     519                        remove_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     520                        $this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
     521
     522                }
     523        }
     524
     525        /**
     526         * @group ms-required
     527         * @ticket 41059
     528         */
     529        public function test_do_not_allow_is_denied_for_super_admins() {
     530                # Test adding the cap directly to the user
     531                self::$super_admin->add_cap( 'do_not_allow' );
     532                $has_cap = self::$super_admin->has_cap( 'do_not_allow' );
     533                self::$super_admin->remove_cap( 'do_not_allow' );
     534                $this->assertFalse( $has_cap, 'Super admins should not have the do_not_allow capability' );
     535
     536                # Test adding the cap via a filter
     537                add_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     538                $has_cap = self::$super_admin->has_cap( 'do_not_allow' );
     539                remove_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     540                $this->assertFalse( $has_cap, 'Super admins should not have the do_not_allow capability' );
     541        }
     542
     543        public function grant_do_not_allow( $allcaps, $caps, $args, $user ) {
     544                $allcaps['do_not_allow'] = true;
     545                return $allcaps;
     546        }
     547
    497548        // special case for the link manager
    498549        function test_link_manager_caps() {
    499550                $caps = array(