Make WordPress Core

Changeset 33988


Ignore:
Timestamp:
09/10/2015 03:33:22 AM (9 years ago)
Author:
jeremyfelt
Message:

Multisite: Allow users with manage_network_users to edit network users.

Other users in a network can now be given capabilities to manage users without also having global super admin privileges.

  • Users with manage_network_users can not edit super admins.
  • Users with manage_network_users can not promote users to super admin.
  • Uses of is_super_admin() in user-new.php are now updated to manage_network_users.

Props daniellandau, chriscct7.
Fixes #16860.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/user-new.php

    r33945 r33988  
    8585        $redirect = add_query_arg( array('update' => 'addexisting'), 'user-new.php' );
    8686    } else {
    87         if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
     87        if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
    8888            add_existing_user_to_blog( array( 'user_id' => $user_id, 'role' => $_REQUEST[ 'role' ] ) );
    8989            $redirect = add_query_arg( array('update' => 'addnoconfirmation'), 'user-new.php' );
     
    159159             */
    160160            $new_user_login = apply_filters( 'pre_user_login', sanitize_user( wp_unslash( $_REQUEST['user_login'] ), true ) );
    161             if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
     161            if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
    162162                add_filter( 'wpmu_signup_user_notification', '__return_false' ); // Disable confirmation email
    163163                add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email
    164164            }
    165165            wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => $wpdb->blogid, 'new_role' => $_REQUEST['role'] ) );
    166             if ( isset( $_POST[ 'noconfirmation' ] ) && is_super_admin() ) {
     166            if ( isset( $_POST[ 'noconfirmation' ] ) && current_user_can( 'manage_network_users' ) ) {
    167167                $key = $wpdb->get_var( $wpdb->prepare( "SELECT activation_key FROM {$wpdb->signups} WHERE user_login = %s AND user_email = %s", $new_user_login, $new_user_email ) );
    168168                wpmu_activate_signup( $key );
     
    340340        </td>
    341341    </tr>
    342 <?php if ( is_super_admin() ) { ?>
     342<?php if ( current_user_can( 'manage_network_users' ) ) { ?>
    343343    <tr>
    344344        <th scope="row"><label for="adduser-noconfirmation"><?php _e('Skip Confirmation Email') ?></label></th>
     
    477477        </td>
    478478    </tr>
    479     <?php if ( is_multisite() && is_super_admin() ) { ?>
     479    <?php if ( is_multisite() && current_user_can( 'manage_network_users' ) ) { ?>
    480480    <tr>
    481481        <th scope="row"><label for="noconfirmation"><?php _e('Skip Confirmation Email') ?></label></th>
  • trunk/src/wp-includes/capabilities-functions.php

    r33967 r33988  
    3838            break;
    3939
    40         // If multisite these caps are allowed only for super admins.
    41         if ( is_multisite() && !is_super_admin( $user_id ) )
    42             $caps[] = 'do_not_allow';
    43         else
     40        // In multisite the user must have manage_network_users caps. If editing a super admin, the user must be a super admin.
     41        if ( is_multisite() && ( ( ! is_super_admin( $user_id ) && 'edit_user' === $cap && is_super_admin( $args[0] ) ) || ! user_can( $user_id, 'manage_network_users' ) ) ) {
     42            $caps[] = 'do_not_allow';
     43        } else {
    4444            $caps[] = 'edit_users'; // edit_user maps to edit_users.
     45        }
    4546        break;
    4647    case 'delete_post':
  • trunk/tests/phpunit/tests/user/capabilities.php

    r33987 r33988  
    964964        $this->assertTrue( current_user_can( 'edit_user', $user->ID ) );
    965965    }
     966
     967    function test_multisite_administrator_with_manage_network_users_can_edit_users() {
     968        if ( ! is_multisite() ) {
     969            $this->markTestSkipped( 'Test only runs in multisite' );
     970            return;
     971        }
     972
     973        $user = new WP_User( $this->factory->user->create( array( 'role' => 'administrator' ) ) );
     974        $user->add_cap( 'manage_network_users' );
     975        $other_user = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
     976
     977        wp_set_current_user( $user->ID );
     978
     979        $this->assertTrue( current_user_can( 'edit_user', $other_user->ID ) );
     980    }
     981
     982    function test_multisite_administrator_with_manage_network_users_can_not_edit_super_admin() {
     983        if ( ! is_multisite() ) {
     984            $this->markTestSkipped( 'Test only runs in multisite' );
     985            return;
     986        }
     987
     988        $user = new WP_User( $this->factory->user->create( array( 'role' => 'administrator' ) ) );
     989        $user->add_cap( 'manage_network_users' );
     990        $super_admin = new WP_User( $this->factory->user->create( array( 'role' => 'subscriber' ) ) );
     991        grant_super_admin( $super_admin->ID );
     992
     993        wp_set_current_user( $user->ID );
     994
     995        $this->assertFalse( current_user_can( 'edit_user', $super_admin->ID ) );
     996    }
    966997}
Note: See TracChangeset for help on using the changeset viewer.