WordPress.org

Make WordPress Core

Ticket #6014: role-manager-jer.php

File role-manager-jer.php, 3.5 KB (added by jeremyclarke, 7 years ago)

example plugin addition to role-manager

Line 
1<?php
2/*
3Plugin Name: Role Manager Security Core Patch Example Plugin
4Plugin URI: http://www.im-web-gefunden.de/wordpress-plugins/role-manager/
5Description: Add-On to Role Manager plugin to use WP API to better control the editing of users by other users. Specifically to avoid users having the ability to change their role to administrator when they are give the edit_users privilege.
6Version: 2.2.1
7Author: Jeremy Clarke
8Author URI: http://www.im-web-gefunden.de/
9Update Server:  http://www.im-web-gefunden.de/
10Min WP Version: 2.0
11Max WP Version: 2.3
12License: MIT License - http://www.opensource.org/licenses/mit-license.php
13
14*/
15
16// ***************************************************************
17// Remove any role that has a capability that the current user doesn't have.
18//
19// uses the 'role_names_listing' filter which might not exist yet. Probably
20// won't be around until 2.6 is released, maybe 2.5.1...
21//
22
23function check_user_editable_roles($role_names) {
24        global $wp_roles;
25        foreach ($wp_roles->roles as $role => $details) :
26                foreach ($details['capabilities'] as $capability => $value) :
27                        if (!current_user_can($capability)) :
28                                unset ($role_names[$role]);
29                                break;
30                        endif; 
31                endforeach; //capabilities
32        endforeach; //foreach $wp_roles;
33        return $role_names;
34}
35add_filter('role_names_listing', 'check_user_editable_roles');
36
37
38// ***************************************************************
39// Check if the logged in user should be allowed to edit another
40// user.
41//
42// For hooking into 'user_has_cap' filter. Use when doing a
43// check for current_user_can('edit_user', $user_id);
44// Works by comparing the logged-in user to the $user_object,
45// if $user_object has any capability that
46//
47// $allcaps - a copy of $wp_roles->role_names , it should return with
48//          innapropriate roles removed.
49                       
50function check_user_editable($allcaps, $caps, $args) {
51        // only run if we're checking the 'edit_users' cap
52        // also, only if there is a second argument in $args (the second, edited, user)
53        if ($caps[0] == 'edit_users' && $args[2]) :
54               
55                // Get full information about the user that they want to edit.
56                global $user_object, $wp_roles;
57               
58                // Get the user object if globalizing it didn't work
59                // note: that means we are on user_edit.php and not users.php
60               
61                if (!$user_object) $user_object = new wp_user($args[2]);
62
63                if ($user_object->ID != $args[2]) return $allcaps;
64               
65                $edited_user_caps = $user_object->allcaps;
66                $edited_user_roles = $user_object->roles;
67                $checked_roles = array();
68
69                // go through edited user's roles, and check for missing caps.
70                foreach ($edited_user_roles as $role => $name) :
71                        $rolecaps = $wp_roles->roles[$name]['capabilities'];
72                        foreach($rolecaps as $capability => $value) :
73                                if (!current_user_can($capability)) :
74                                        unset ($allcaps['edit_users']);
75                                        return $allcaps;
76                                endif; 
77                        endforeach; // rolecaps
78                        // add the role to a list of checked roles if there are no problems
79                        $checked_roles[] = $name;
80                endforeach; // foreach edited_user_roles
81               
82                // This only runs if there were no conflicts while checking roles
83                // go through the edited users caps and check if current user has them all
84                foreach ($edited_user_caps as $capability => $value) :
85                        if (in_array($capability, $checked_roles)) :
86                                continue;
87                        elseif (!current_user_can($capability)) :
88                                unset ($allcaps['edit_users']);
89                                return $allcaps;
90                        endif; 
91                endforeach; //capabilities     
92        endif;// if edit_users
93         
94        return $allcaps;
95}
96
97add_filter('user_has_cap', 'check_user_editable', 10, 3)
98
99
100?>