Make WordPress Core

Ticket #42564: 42564.diff

File 42564.diff, 1.9 KB (added by ocean90, 7 years ago)

Also props to @jjj and @flixos90

  • src/wp-admin/includes/user.php

     
    4848        if ( isset( $_POST['pass2'] ) )
    4949                $pass2 = $_POST['pass2'];
    5050
    51         if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) {
     51        if ( isset( $_POST['role'] ) && current_user_can( 'promote_users' ) && ( ! $user_id || current_user_can( 'promote_user', $user_id ) ) ) {
    5252                $new_role = sanitize_text_field( $_POST['role'] );
    53                 $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false;
    54                 // Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
    55                 // Multisite super admins can freely edit their blog roles -- they possess all caps.
    56                 if ( ( is_multisite() && current_user_can( 'manage_sites' ) ) || $user_id != get_current_user_id() || ($potential_role && $potential_role->has_cap( 'edit_users' ) ) )
    57                         $user->role = $new_role;
    5853
    59                 // If the new role isn't editable by the logged-in user die with error
     54                // If the new role isn't editable by the logged-in user die with error.
    6055                $editable_roles = get_editable_roles();
    61                 if ( ! empty( $new_role ) && empty( $editable_roles[$new_role] ) )
     56                if ( ! empty( $new_role ) && empty( $editable_roles[ $new_role ] ) ) {
    6257                        wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 );
     58                }
     59
     60                $potential_role = isset( $wp_roles->role_objects[ $new_role ] ) ? $wp_roles->role_objects[ $new_role ] : false;
     61                // The new role of the user must also have the promote_users cap or be a multisite super admin.
     62                if (
     63                        ( is_multisite() && current_user_can( 'manage_network_users' ) ) ||
     64                        $user_id != get_current_user_id() ||
     65                        ( $potential_role && $potential_role->has_cap( 'promote_users' ) ) )
     66                {
     67                        $user->role = $new_role;
     68                }
    6369        }
    6470
    6571        if ( isset( $_POST['email'] ))