Make WordPress Core

Ticket #42404: 42404.2.patch

File 42404.2.patch, 3.1 KB (added by antonioeatgoat, 7 years ago)

Handled singular capability 'edit_plugin'. It still needs unit tests.

  • src/wp-admin/includes/file.php

    IDEA additional info:
    Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
    <+>UTF-8
     
    373373        if ( ! empty( $args['plugin'] ) ) {
    374374                $plugin = $args['plugin'];
    375375
    376                 if ( ! current_user_can( 'edit_plugins' ) ) {
    377                         return new WP_Error( 'unauthorized', __( 'Sorry, you are not allowed to edit plugins for this site.' ) );
     376                if ( ! current_user_can( 'edit_plugin', $plugin ) ) {
     377                        return new WP_Error( 'unauthorized', __( 'Sorry, you are not allowed to edit this plugin.' ) );
    378378                }
    379379
    380380                if ( ! wp_verify_nonce( $args['nonce'], 'edit-plugin_' . $file ) ) {
  • src/wp-admin/plugin-editor.php

    IDEA additional info:
    Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
    <+>UTF-8
     
    1414        exit();
    1515}
    1616
    17 if ( ! current_user_can( 'edit_plugins' ) ) {
    18         wp_die( __( 'Sorry, you are not allowed to edit plugins for this site.' ) );
     17$file = ( isset( $_REQUEST['file'] ) ) ?  wp_unslash( $_REQUEST['file'] ) : '';
     18$plugin = isset( $_REQUEST['plugin'] ) ? wp_unslash( sanitize_text_field( $_REQUEST['plugin'] ) ) : '';
     19
     20if ( ! current_user_can( 'edit_plugin', $plugin) ) {
     21    if( empty( $plugin ) )
     22            wp_die( __( 'Sorry, you are not allowed to edit plugins for this site.' ) );
     23    else
     24            wp_die( __( 'Sorry, you are not allowed to edit this plugin.' ) );
    1925}
    2026
    2127$title       = __( 'Edit Plugins' );
     
    3541        exit;
    3642}
    3743
    38 $file   = '';
    39 $plugin = '';
    40 if ( isset( $_REQUEST['file'] ) ) {
    41         $file = wp_unslash( $_REQUEST['file'] );
    42 }
    43 
    44 if ( isset( $_REQUEST['plugin'] ) ) {
    45         $plugin = wp_unslash( $_REQUEST['plugin'] );
    46 }
    47 
    4844if ( empty( $plugin ) ) {
    4945        if ( $file ) {
    5046
     
    219215                <select name="plugin" id="plugin">
    220216<?php
    221217foreach ( $plugins as $plugin_key => $a_plugin ) {
     218
     219    if( ! current_user_can( 'edit_plugin', $plugin_key) )
     220        continue;
     221
    222222        $plugin_name = $a_plugin['Name'];
    223223        if ( $plugin_key == $plugin ) {
    224224                $selected = " selected='selected'";
  • src/wp-includes/capabilities.php

    IDEA additional info:
    Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
    <+>UTF-8
     
    402402                        break;
    403403                case 'edit_files':
    404404                case 'edit_plugins':
     405                case 'edit_plugin':
    405406                case 'edit_themes':
    406407                        // Disallow the file editors.
    407408                        if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT ) {
     
    411412                        } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
    412413                                $caps[] = 'do_not_allow';
    413414                        } else {
    414                                 $caps[] = $cap;
     415                                $caps[] = ( $cap == 'edit_plugin' ) ? 'edit_plugins' : $cap;
    415416                        }
    416417                        break;
    417418                case 'update_plugins':