WordPress.org

Make WordPress Core

Ticket #8770: admin-includes-users_dec31-08.diff

File admin-includes-users_dec31-08.diff, 3.3 KB (added by jeremyclarke, 5 years ago)

update wp-admin/includes/user.php with get_editable_roles()

  • wp-admin/includes/user.php

     
    99/** 
    1010 * Creates a new user from the "Users" form using $_POST information. 
    1111 * 
    12  * {@internal Missing Long Description}} 
     12 * It seems that the first half is for backwards compatibility, but only 
     13 * has the ability to alter the user's role. Wordpress core seems to  
     14 * use this function only in the second way, running edit_user() with 
     15 * no id so as to create a new user. 
    1316 * 
    14  * @since unknown 
     17 * @since 2.0 
    1518 * 
    1619 * @param int $user_id Optional. User ID. 
    1720 * @return null|WP_Error|int Null when adding user, WP_Error or User ID integer when no parameters. 
     
    2225                $user_id = (int) func_get_arg( 0 ); 
    2326 
    2427                if ( isset( $_POST['role'] ) ) { 
     28                        // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 
    2529                        if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' ) ) { 
     30                                // If the new role isn't editable by the logged-in user die with error 
     31                                $editable_roles = get_editable_roles(); 
     32                                if (!$editable_roles[$_POST['role']]) 
     33                                        wp_die(__('You can’t give users that role.')); 
     34                                 
    2635                                $user = new WP_User( $user_id ); 
    2736                                $user->set_role( $_POST['role'] ); 
    2837                        } 
     
    3443} 
    3544 
    3645/** 
    37  * {@internal Missing Short Description}} 
     46 * Edit user settings based on contents of $_POST 
    3847 * 
    39  * {@internal Missing Long Description}} 
     48 * Used on user-edit.php and profile.php to manage and process user options, passwords etc. 
    4049 * 
    41  * @since unknown 
     50 * @since 2.0 
    4251 * 
    4352 * @param int $user_id Optional. User ID. 
    44  * @return unknown 
     53 * @return int user id of the updated user 
    4554 */ 
    4655function edit_user( $user_id = 0 ) { 
    4756        global $current_user, $wp_roles, $wpdb; 
     
    6574                $pass2 = $_POST['pass2']; 
    6675 
    6776        if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { 
     77 
     78                // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 
    6879                if( $user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap( 'edit_users' )) 
    69                         $user->role = $_POST['role']; 
     80                        $user->role = $_POST['role'];  
     81 
     82                // If the new role isn't editable by the logged-in user die with error 
     83                $editable_roles = get_editable_roles(); 
     84                if (!$editable_roles[$_POST['role']]) 
     85                        wp_die(__('You can’t give users that role.')); 
    7086        } 
    7187 
    7288        if ( isset( $_POST['email'] )) 
     
    242258} 
    243259 
    244260/** 
     261 * Fetch a filtered list of user roles that the current user is  
     262 * allowed to edit.  
     263 * 
     264 * Simple function who's main purpose is to allow filtering of the  
     265 * list of roles in the $wp_roles object so that plugins can remove 
     266 * innappropriate ones depending on the situation or user making edits. 
     267 * Specifically because without filtering anyone with the edit_users 
     268 * capability can edit others to be administrators, even if they are 
     269 * only editors or authors. This filter allows admins to delegate 
     270 * user management.  
     271 * 
     272 * @since 2.8 
     273 * 
     274 * @return unknown 
     275 */ 
     276function get_editable_roles() { 
     277        global $wp_roles; 
     278 
     279        $all_roles = $wp_roles->roles; 
     280        $editable_roles = apply_filters('editable_roles', $all_roles);   
     281         
     282        return $editable_roles; 
     283} 
     284 
     285/** 
    245286 * {@internal Missing Short Description}} 
    246287 * 
    247288 * {@internal Missing Long Description}}