Changeset 16329

Timestamp:

11/12/2010 04:35:28 PM (15 years ago)

Author:

ryan

Message:

Check delete_site and delete_sites caps. Check for delete_user is more places.

Location:

trunk/wp-admin

Files:

• includes/class-wp-ms-sites-list-table.php (modified) (2 diffs)
• network/edit.php (modified) (8 diffs)
• network/sites.php (modified) (1 diff)

trunk/wp-admin/includes/class-wp-ms-sites-list-table.php

@@ -116 +116 @@
     function get_bulk_actions() {
         $actions = array();
-        $actions['delete'] = __( 'Delete' );
+        if ( current_user_can( 'delete_sites' ) )
+            $actions['delete'] = __( 'Delete' );
         $actions['spam'] = _x( 'Mark as Spam', 'site' );
         $actions['notspam'] = _x( 'Not Spam', 'site' );
@@ -248 +249 @@
                                     $actions['spam']    = '<span class="spam"><a href="' . esc_url( network_admin_url( 'edit.php?action=confirm&amp;action2=spamblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to mark the site %s as spam.' ), $blogname ) ) ) ) . '">' . _x( 'Spam', 'site' ) . '</a></span>';
 
-                                $actions['delete']  = '<span class="delete"><a href="' . esc_url( network_admin_url( 'edit.php?action=confirm&amp;action2=deleteblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to delete the site %s.' ), $blogname ) ) ) ) . '">' . __( 'Delete' ) . '</a></span>';
+                                if ( current_user_can( 'delete_site', $blog['blog_id'] ) )
+                                    $actions['delete']  = '<span class="delete"><a href="' . esc_url( network_admin_url( 'edit.php?action=confirm&amp;action2=deleteblog&amp;id=' . $blog['blog_id'] . '&amp;msg=' . urlencode( sprintf( __( 'You are about to delete the site %s.' ), $blogname ) ) ) ) . '">' . __( 'Delete' ) . '</a></span>';
                             }
 

trunk/wp-admin/network/edit.php

@@ -36 +36 @@
         if ( $val != '' && $val != '0' ) {
             $delete_user = new WP_User( $val );
+
+            if ( ! current_user_can( 'delete_user', $delete_user->ID ) )
+                wp_die( sprintf( __( 'Warning! User %s cannot be deleted.' ), $delete_user->user_login ) );
 
             if ( in_array( $delete_user->user_login, $site_admins ) )
@@ -167 +170 @@
     case 'deleteblog':
         check_admin_referer('deleteblog');
-        if ( ! current_user_can( 'manage_sites' ) )
-            wp_die( __( 'You do not have permission to access this page.' ) );
-
-        if ( $id != '0' && $id != $current_site->blog_id )
+        if ( ! ( current_user_can( 'manage_sites' ) && current_user_can( 'delete_sites' ) ) )
+            wp_die( __( 'You do not have permission to access this page.' ) );
+
+        if ( $id != '0' && $id != $current_site->blog_id && current_user_can ( 'delete_site', $id ) ) {
             wpmu_delete_blog( $id, true );
-
-        wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) );
+            wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'delete' ), wp_get_referer() ) );
+        } else {
+            wp_redirect( add_query_arg( array( 'updated' => 'true', 'action' => 'not_deleted' ), wp_get_referer() ) );
+        }
+        
         exit();
     break;
@@ -192 +198 @@
                     switch ( $doaction ) {
                         case 'delete':
+                            if ( ! current_user_can( 'delete_site', $val ) )
+                                wp_die( __( 'You are not allowed to delete the site.' ) );
                             $blogfunction = 'all_delete';
                             wpmu_delete_blog( $val, true );
@@ -360 +368 @@
 
     case 'allusers':
-        if ( ! current_user_can( 'manage_network_users' ) )
+        if ( current_user_can( 'manage_network_users' ) )
             wp_die( __( 'You do not have permission to access this page.' ) );
 
@@ -373 +381 @@
                     switch ( $doaction ) {
                         case 'delete':
+                            if ( ! current_user_can( 'delete_users' ) )
+                                wp_die( __( 'You do not have permission to access this page.' ) );
                             $title = __( 'Users' );
                             $parent_file = 'users.php';
@@ -418 +428 @@
     case 'dodelete':
         check_admin_referer( 'ms-users-delete' );
-        if ( ! current_user_can( 'manage_network_users' ) )
+        if ( ! ( current_user_can( 'manage_network_users' ) && current_user_can( 'delete_users' ) ) )
             wp_die( __( 'You do not have permission to access this page.' ) );
 
@@ -424 +434 @@
             foreach ( $_POST['blog'] as $id => $users ) {
                 foreach ( $users as $blogid => $user_id ) {
+                    if ( ! current_user_can( 'delete_user', $id ) )
+                        continue;
+
                     if ( ! empty( $_POST['delete'] ) && 'reassign' == $_POST['delete'][$blogid][$id] )
                         remove_user_from_blog( $id, $blogid, $user_id );
@@ -434 +447 @@
         if ( is_array( $_POST['user'] ) && ! empty( $_POST['user'] ) )
             foreach( $_POST['user'] as $id ) {
+                if ( ! current_user_can( 'delete_user', $id ) )
+                    continue;
                 wpmu_delete_user( $id );
                 $i++;

trunk/wp-admin/network/sites.php

@@ -55 +55 @@
         case 'delete':
             $msg = __( 'Site deleted.' );
+        case 'not_deleted':
+            $msg = __( 'You do not have permission to delete that site.' );
         break;
         case 'archive':