Changeset 21152 for trunk/wp-includes/capabilities.php

Timestamp:

06/27/2012 07:27:54 PM (14 years ago)

Author:

nacin

Message:

Remove 'fall through' points in map_meta_cap() as they can hide bugs.

File:

• trunk/wp-includes/capabilities.php (modified) (4 diffs)

trunk/wp-includes/capabilities.php

@@ -948 +948 @@
         break;
     case 'edit_user':
+    case 'edit_users':
         // Allow user to edit itself
-        if ( isset( $args[0] ) && $user_id == $args[0] )
+        if ( 'edit_user' == $cap && isset( $args[0] ) && $user_id == $args[0] )
             break;
-        // Fall through
-    case 'edit_users':
+
         // If multisite these caps are allowed only for super admins.
         if ( is_multisite() && !is_super_admin( $user_id ) )
             $caps[] = 'do_not_allow';
         else
-            $caps[] = 'edit_users'; // Explicit due to primitive fall through
+            $caps[] = 'edit_users'; // edit_user maps to edit_users.
         break;
     case 'delete_post':
@@ -1131 +1131 @@
         if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML )
             $caps[] = 'do_not_allow';
+        elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+            $caps[] = 'do_not_allow';
         else
             $caps[] = $cap;
@@ -1137 +1139 @@
     case 'edit_plugins':
     case 'edit_themes':
-        if ( defined('DISALLOW_FILE_EDIT') && DISALLOW_FILE_EDIT ) {
+        // Disallow the file editors.
+        if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT )
             $caps[] = 'do_not_allow';
-            break;
-        }
-        // Fall through if not DISALLOW_FILE_EDIT.
+        elseif ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
+            $caps[] = 'do_not_allow';
+        elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+            $caps[] = 'do_not_allow';
+        else
+            $caps[] = $cap;
+        break;
     case 'update_plugins':
     case 'delete_plugins':
@@ -1149 +1156 @@
     case 'install_themes':
     case 'update_core':
-        // Disallow anything that creates, deletes, or edits core, plugin, or theme files.
+        // Disallow anything that creates, deletes, or updates core, plugin, or theme files.
         // Files in uploads are excepted.
-        if ( defined('DISALLOW_FILE_MODS') && DISALLOW_FILE_MODS ) {
+        if ( defined( 'DISALLOW_FILE_MODS' ) && DISALLOW_FILE_MODS )
             $caps[] = 'do_not_allow';
-            break;
-        }
-        // Fall through if not DISALLOW_FILE_MODS.
+        elseif ( is_multisite() && ! is_super_admin( $user_id ) )
+            $caps[] = 'do_not_allow';
+        else
+            $caps[] = $cap;
+        break;
     case 'delete_user':
     case 'delete_users':
-        // If multisite these caps are allowed only for super admins.
-        if ( is_multisite() && !is_super_admin( $user_id ) ) {
+        // If multisite only super admins can delete users.
+        if ( is_multisite() && ! is_super_admin( $user_id ) )
             $caps[] = 'do_not_allow';
-        } else {
-            if ( 'delete_user' == $cap )
-                $cap = 'delete_users';
-            $caps[] = $cap;
-        }
+        else
+            $caps[] = 'delete_users'; // delete_user maps to delete_users.
         break;
     case 'create_users':