Changeset 33143

Timestamp:

07/09/2015 04:15:30 PM (11 years ago)

Author:

jeremyfelt

Message:

Do not allow deletion of a super admin user through wpmu_delete_user().

In step with the UI provided by wp-admin/network/users.php, super admin privileges must be removed before a user can be deleted through the API.

Props @johnjamesjacoby, @jeremyfelt.
Fixes #32935.

Location:

trunk

Files:

• src/wp-admin/includes/ms.php (modified) (1 diff)
• tests/phpunit/tests/user/multisite.php (modified) (1 diff)

trunk/src/wp-admin/includes/ms.php

@@ -191 +191 @@
     if ( !$user->exists() )
         return false;
+
+    // Global super-administrators are protected, and cannot be deleted.
+    $_super_admins = get_super_admins();
+    if ( in_array( $user->user_login, $_super_admins, true ) ) {
+        return false;
+    }
+
     /**
      * Fires before a user is deleted from the network.

trunk/tests/phpunit/tests/user/multisite.php

@@ -230 +230 @@
     }
 
+    function test_revoked_super_admin_can_be_deleted() {
+        if ( isset( $GLOBALS['super_admins'] ) ) {
+            $old_global = $GLOBALS['super_admins'];
+            unset( $GLOBALS['super_admins'] );
+        }
+
+        $user_id = $this->factory->user->create();
+        grant_super_admin( $user_id );
+        revoke_super_admin( $user_id );
+
+        $this->assertTrue( wpmu_delete_user( $user_id ) );
+
+        if ( isset( $old_global ) ) {
+            $GLOBALS['super_admins'] = $old_global;
+        }
+    }
+
+    function test_revoked_super_admin_is_deleted() {
+        if ( isset( $GLOBALS['super_admins'] ) ) {
+            $old_global = $GLOBALS['super_admins'];
+            unset( $GLOBALS['super_admins'] );
+        }
+
+        $user_id = $this->factory->user->create();
+        grant_super_admin( $user_id );
+        revoke_super_admin( $user_id );
+        wpmu_delete_user( $user_id );
+        $user = new WP_User( $user_id );
+
+        $this->assertFalse( $user->exists(), 'WP_User->exists' );
+
+        if ( isset( $old_global ) ) {
+            $GLOBALS['super_admins'] = $old_global;
+        }
+    }
+
+    function test_super_admin_cannot_be_deleted() {
+        if ( isset( $GLOBALS['super_admins'] ) ) {
+            $old_global = $GLOBALS['super_admins'];
+            unset( $GLOBALS['super_admins'] );
+        }
+
+        $user_id = $this->factory->user->create();
+        grant_super_admin( $user_id );
+
+        $this->assertFalse( wpmu_delete_user( $user_id ) );
+
+        if ( isset( $old_global ) ) {
+            $GLOBALS['super_admins'] = $old_global;
+        }
+    }
+
     /**
      * @ticket 27205