Ticket #42564: 42564.diff
File 42564.diff, 1.9 KB (added by , 7 years ago) |
---|
-
src/wp-admin/includes/user.php
48 48 if ( isset( $_POST['pass2'] ) ) 49 49 $pass2 = $_POST['pass2']; 50 50 51 if ( isset( $_POST['role'] ) && current_user_can( ' edit_users') ) {51 if ( isset( $_POST['role'] ) && current_user_can( 'promote_users' ) && ( ! $user_id || current_user_can( 'promote_user', $user_id ) ) ) { 52 52 $new_role = sanitize_text_field( $_POST['role'] ); 53 $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;54 // Don't let anyone with 'edit_users' (admins) edit their own role to something without it.55 // Multisite super admins can freely edit their blog roles -- they possess all caps.56 if ( ( is_multisite() && current_user_can( 'manage_sites' ) ) || $user_id != get_current_user_id() || ($potential_role && $potential_role->has_cap( 'edit_users' ) ) )57 $user->role = $new_role;58 53 59 // If the new role isn't editable by the logged-in user die with error 54 // If the new role isn't editable by the logged-in user die with error. 60 55 $editable_roles = get_editable_roles(); 61 if ( ! empty( $new_role ) && empty( $editable_roles[ $new_role] ) )56 if ( ! empty( $new_role ) && empty( $editable_roles[ $new_role ] ) ) { 62 57 wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 ); 58 } 59 60 $potential_role = isset( $wp_roles->role_objects[ $new_role ] ) ? $wp_roles->role_objects[ $new_role ] : false; 61 // The new role of the user must also have the promote_users cap or be a multisite super admin. 62 if ( 63 ( is_multisite() && current_user_can( 'manage_network_users' ) ) || 64 $user_id != get_current_user_id() || 65 ( $potential_role && $potential_role->has_cap( 'promote_users' ) ) ) 66 { 67 $user->role = $new_role; 68 } 63 69 } 64 70 65 71 if ( isset( $_POST['email'] ))