Make WordPress Core


Ignore:
Timestamp:
12/12/2016 09:41:44 PM (8 years ago)
Author:
flixos90
Message:

Multisite: Handle capability check for removing oneself via map_meta_cap().

Site administrators should not be able to remove themselves from a site. This moves the enforcement of this rule from wp-admin/users.php to remove_user_from_blog() via the remove_user capability, which furthermore allows us to get rid of two additional clauses and their is_super_admin() checks in wp-admin/users.php. A unit test for the new behavior has been added.

Fixes #39063. See #37616.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/user/capabilities.php

    r39555 r39588  
    17581758        $this->assertFalse( current_user_can( 'add_user_meta', self::$users['subscriber']->ID, 'foo' ) );
    17591759    }
     1760
     1761    /**
     1762     * @ticket 39063
     1763     */
     1764    public function test_only_super_admins_can_remove_themselves_on_multisite() {
     1765        if ( ! is_multisite() ) {
     1766            $this->markTestSkipped( 'Test only runs in multisite.' );
     1767        }
     1768
     1769        $this->assertTrue( user_can( self::$super_admin->ID, 'remove_user', self::$super_admin->ID ) );
     1770
     1771        $this->assertFalse( user_can( self::$users['administrator']->ID, 'remove_user', self::$users['administrator']->ID ) );
     1772        $this->assertFalse( user_can( self::$users['editor']->ID,        'remove_user', self::$users['editor']->ID ) );
     1773        $this->assertFalse( user_can( self::$users['author']->ID,        'remove_user', self::$users['author']->ID ) );
     1774        $this->assertFalse( user_can( self::$users['contributor']->ID,   'remove_user', self::$users['contributor']->ID ) );
     1775        $this->assertFalse( user_can( self::$users['subscriber']->ID,    'remove_user', self::$users['subscriber']->ID ) );
     1776    }
    17601777}
Note: See TracChangeset for help on using the changeset viewer.