Make WordPress Core


Ignore:
Timestamp:
12/12/2016 09:41:44 PM (8 years ago)
Author:
flixos90
Message:

Multisite: Handle capability check for removing oneself via map_meta_cap().

Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from wp-admin/users.php to remove_user_from_blog() via the remove_user capability, which furthermore allows us to get rid of two additional clauses and their is_super_admin() checks in wp-admin/users.php. A unit test for the new behavior has been added.

Fixes #39063. See #37616.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/users.php

    r39534 r39588  
    322322    foreach ( $userids as $id ) {
    323323        $id = (int) $id;
    324         if ( $id == $current_user->ID && !is_super_admin() ) {
    325             $update = 'err_admin_remove';
    326             continue;
    327         }
    328324        if ( !current_user_can('remove_user', $id) ) {
    329325            $update = 'err_admin_remove';
     
    378374        $id = (int) $id;
    379375        $user = get_userdata( $id );
    380         if ( $id == $current_user->ID && !is_super_admin() ) {
    381             /* translators: 1: user id, 2: user login */
    382             echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>The current user will not be removed.</strong>'), $id, $user->user_login) . "</li>\n";
    383         } elseif ( !current_user_can('remove_user', $id) ) {
     376        if ( ! current_user_can( 'remove_user', $id ) ) {
    384377            /* translators: 1: user id, 2: user login */
    385378            echo "<li>" . sprintf(__('ID #%1$s: %2$s <strong>Sorry, you are not allowed to remove this user.</strong>'), $id, $user->user_login) . "</li>\n";
Note: See TracChangeset for help on using the changeset viewer.