Ticket #42404: 42404.4.patch

src/wp-admin/includes/ajax-actions.php

@@ -4105 +4105 @@
                 'newVersion' => '',
         );
 
-        if ( ! current_user_can( 'update_plugins' ) || 0 !== validate_file( $plugin ) ) {
-                $status['errorMessage'] = __( 'Sorry, you are not allowed to update plugins for this site.' );
+        if ( ! current_user_can( 'update_plugin', $plugin ) || 0 !== validate_file( $plugin ) ) {
+                $status['errorMessage'] = __( 'Sorry, you are not allowed to update this plugin.' );
                 wp_send_json_error( $status );
         }
 

src/wp-admin/includes/plugin-install.php

@@ -420 +420 @@
                                 $status      = 'update_available';
                                 $update_file = $file;
                                 $version     = $plugin->new_version;
-                                if ( current_user_can( 'update_plugins' ) ) {
+                                if ( current_user_can( 'update_plugin', $file ) ) {
                                         $url = wp_nonce_url( self_admin_url( 'update.php?action=upgrade-plugin&plugin=' . $update_file ), 'upgrade-plugin_' . $update_file );
                                 }
                                 break;

src/wp-admin/includes/update.php

@@ -344 +344 @@
         return $upgrade_plugins;
 }
 
+/**
+ * Returns the number of plugins that the current user isn't allowed to update
+ *
+ * @return int
+ */
+function wp_get_plugin_updates_disallowed_count() {
+
+        // The number of plugins that current user cannot update
+        $not_allowed_to_update_count = 0;
+
+        $all_plugins = get_plugins();
+        foreach ( (array) $all_plugins as $plugin_file => $plugin_data ) {
+                if ( ! current_user_can( 'update_plugin', $plugin_file ) ) {
+                        $not_allowed_to_update_count++;
+                }
+        }
+
+        return $not_allowed_to_update_count;
+}
+
 /**
  * @since 2.9.0
  */
@@ -403 +423 @@
 
                 echo '<tr class="plugin-update-tr' . $active_class . '" id="' . esc_attr( $response->slug . '-update' ) . '" data-slug="' . esc_attr( $response->slug ) . '" data-plugin="' . esc_attr( $file ) . '"><td colspan="' . esc_attr( $wp_list_table->get_column_count() ) . '" class="plugin-update colspanchange"><div class="update-message notice inline notice-warning notice-alt"><p>';
 
-                if ( ! current_user_can( 'update_plugins' ) ) {
+                if ( ! current_user_can( 'update_plugin', $file ) ) {
                         /* translators: 1: plugin name, 2: details URL, 3: additional link attributes, 4: version number */
                         printf(
                                 __( 'There is a new version of %1$s available. <a href="%2$s" %3$s>View version %4$s details</a>.' ),

src/wp-admin/plugin-editor.php

@@ -18 +18 @@
 $plugin = isset( $_REQUEST['plugin'] ) ? wp_unslash( sanitize_text_field( $_REQUEST['plugin'] ) ) : '';
 
 if ( ! current_user_can( 'edit_plugin', $plugin) ) {
-    if( empty( $plugin ) )
+    if ( empty( $plugin ) )
             wp_die( __( 'Sorry, you are not allowed to edit plugins for this site.' ) );
     else
             wp_die( __( 'Sorry, you are not allowed to edit this plugin.' ) );
@@ -216 +216 @@
 <?php
 foreach ( $plugins as $plugin_key => $a_plugin ) {
 
-    if( ! current_user_can( 'edit_plugin', $plugin_key) )
+    if ( ! current_user_can( 'edit_plugin', $plugin_key) )
         continue;
 
         $plugin_name = $a_plugin['Name'];

src/wp-admin/update-core.php

@@ -233 +233 @@
 
         require_once( ABSPATH . 'wp-admin/includes/plugin-install.php' );
         $plugins = get_plugin_updates();
-        if ( empty( $plugins ) ) {
+
+        // If all plugins are up to date or the only plugins to update cannot be update by the current user
+        if ( empty( $plugins ) || count( $plugins ) == wp_get_plugin_updates_disallowed_count()) {
                 echo '<h2>' . __( 'Plugins' ) . '</h2>';
-                echo '<p>' . __( 'Your plugins are all up to date.' ) . '</p>';
+                echo '<p>' . __( "There isn't any plugin to update." ) . '</p>';
                 return;
         }
         $form_action = 'update-core.php?action=do-plugin-upgrade';
@@ -263 +265 @@
         <tbody class="plugins">
 <?php
 foreach ( (array) $plugins as $plugin_file => $plugin_data ) {
+
+    if ( ! current_user_can( 'update_plugin', $plugin_file) )
+        continue;
+
         $plugin_data = (object) _get_plugin_data_markup_translate( $plugin_file, (array) $plugin_data, false, true );
 
         $icon            = '<span class="dashicons dashicons-admin-plugins"></span>';
@@ -719 +725 @@
 } elseif ( 'do-plugin-upgrade' == $action ) {
 
         if ( ! current_user_can( 'update_plugins' ) ) {
-                wp_die( __( 'Sorry, you are not allowed to update this site.' ) );
+                wp_die( __( 'Sorry, you are not allowed to update plugins for this site.' ) );
         }
 
         check_admin_referer( 'upgrade-core' );

src/wp-admin/update.php

@@ -35 +35 @@
                         $plugins = array();
                 }
 
+                foreach ( $plugins as $plugin_file ) {
+                        if ( ! current_user_can( 'update_plugin', $plugin_file ) ) {
+                                if ( ( $key = array_search( $plugin_file, $plugins ) ) !== false ) {
+                                        unset( $plugins[ $key ] );
+                                }
+                        }
+                }
+
                 $plugins = array_map( 'urldecode', $plugins );
 
                 $url   = 'update.php?action=update-selected&plugins=' . urlencode( implode( ',', $plugins ) );
@@ -49 +57 @@
                 iframe_footer();
 
         } elseif ( 'upgrade-plugin' == $action ) {
-                if ( ! current_user_can( 'update_plugins' ) ) {
-                        wp_die( __( 'Sorry, you are not allowed to update plugins for this site.' ) );
+                if ( ! current_user_can( 'update_plugin', $plugin ) ) {
+                        wp_die( __( 'Sorry, you are not allowed to update this plugin.' ) );
                 }
 
                 check_admin_referer( 'upgrade-plugin_' . $plugin );
@@ -71 +79 @@
                 include( ABSPATH . 'wp-admin/admin-footer.php' );
 
         } elseif ( 'activate-plugin' == $action ) {
-                if ( ! current_user_can( 'update_plugins' ) ) {
-                        wp_die( __( 'Sorry, you are not allowed to update plugins for this site.' ) );
+                if ( ! current_user_can( 'update_plugin', $plugin ) ) {
+                        wp_die( __( 'Sorry, you are not allowed to update this plugin.' ) );
                 }
 
                 check_admin_referer( 'activate-plugin_' . $plugin );

src/wp-includes/capabilities.php

@@ -416 +416 @@
                         }
                         break;
                 case 'update_plugins':
+                case 'update_plugin':
                 case 'delete_plugins':
                 case 'delete_plugin':
                 case 'install_plugins':
@@ -436 +437 @@
                         } elseif ( 'upload_plugins' === $cap ) {
                                 $caps[] = 'install_plugins';
                         } else {
-                                $caps[] = ( $cap == 'delete_plugin' ) ? 'delete_plugins' : $cap;
+
+                                if (  $cap == 'delete_plugin' )
+                                        $caps[] = 'delete_plugins';
+                                elseif (  $cap == 'update_plugin' )
+                                        $caps[] = 'update_plugins';
+                                else
+                                        $caps[] = $cap;
                         }
                         break;
                 case 'install_languages':

src/wp-includes/update.php

@@ -636 +636 @@
         if ( $plugins = current_user_can( 'update_plugins' ) ) {
                 $update_plugins = get_site_transient( 'update_plugins' );
                 if ( ! empty( $update_plugins->response ) ) {
-                        $counts['plugins'] = count( $update_plugins->response );
+                        $counts['plugins'] = count( $update_plugins->response ) - wp_get_plugin_updates_disallowed_count();
                 }
         }