WordPress.org

Make WordPress Core


Ignore:
Timestamp:
12/12/2016 09:41:44 PM (3 years ago)
Author:
flixos90
Message:

Multisite: Handle capability check for removing oneself via map_meta_cap().

Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from wp-admin/users.php to remove_user_from_blog() via the remove_user capability, which furthermore allows us to get rid of two additional clauses and their is_super_admin() checks in wp-admin/users.php. A unit test for the new behavior has been added.

Fixes #39063. See #37616.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/capabilities.php

    r39494 r39588  
    3333    switch ( $cap ) {
    3434    case 'remove_user':
    35         $caps[] = 'remove_users';
     35        // In multisite the user must be a super admin to remove themselves.
     36        if ( isset( $args[0] ) && $user_id == $args[0] && ! is_super_admin( $user_id ) ) {
     37            $caps[] = 'do_not_allow';
     38        } else {
     39            $caps[] = 'remove_users';
     40        }
    3641        break;
    3742    case 'promote_user':
Note: See TracChangeset for help on using the changeset viewer.