Make WordPress Core

Changeset 40993


Ignore:
Timestamp:
07/02/2017 05:15:42 AM (7 years ago)
Author:
peterwilsoncc
Message:

Capabilities: Prevent users having the do_not_allow capability.

Meta capabilities use the capability do_not_allow to indicate a user should be blocked from performing a particular action. This ensures users can not have the capability as it would cause unexpected behaviour.

Props johnbillion.
Fixes #41059.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-user.php

    r39735 r40993  
    749749        $capabilities['exist'] = true;
    750750
     751        // Nobody is allowed to do things they are not allowed to do.
     752        unset( $capabilities['do_not_allow'] );
     753
    751754        // Must have ALL requested caps.
    752755        foreach ( (array) $caps as $cap ) {
  • trunk/tests/phpunit/tests/user/capabilities.php

    r40564 r40993  
    495495    }
    496496
     497    /**
     498     * @ticket 41059
     499     */
     500    public function test_do_not_allow_is_denied_for_all_roles() {
     501        foreach ( self::$users as $role => $user ) {
     502
     503            # Test adding the cap directly to the user
     504            $user->add_cap( 'do_not_allow' );
     505            $has_cap = $user->has_cap( 'do_not_allow' );
     506            $user->remove_cap( 'do_not_allow' );
     507            $this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
     508
     509            # Test adding the cap to the user's role
     510            $role_obj = get_role( $role );
     511            $role_obj->add_cap( 'do_not_allow' );
     512            $has_cap = $user->has_cap( 'do_not_allow' );
     513            $role_obj->remove_cap( 'do_not_allow' );
     514            $this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
     515
     516            # Test adding the cap via a filter
     517            add_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     518            $has_cap = $user->has_cap( 'do_not_allow' );
     519            remove_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     520            $this->assertFalse( $has_cap, "User with the {$role} role should not have the do_not_allow capability" );
     521
     522        }
     523    }
     524
     525    /**
     526     * @group ms-required
     527     * @ticket 41059
     528     */
     529    public function test_do_not_allow_is_denied_for_super_admins() {
     530        # Test adding the cap directly to the user
     531        self::$super_admin->add_cap( 'do_not_allow' );
     532        $has_cap = self::$super_admin->has_cap( 'do_not_allow' );
     533        self::$super_admin->remove_cap( 'do_not_allow' );
     534        $this->assertFalse( $has_cap, 'Super admins should not have the do_not_allow capability' );
     535
     536        # Test adding the cap via a filter
     537        add_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     538        $has_cap = self::$super_admin->has_cap( 'do_not_allow' );
     539        remove_filter( 'user_has_cap', array( $this, 'grant_do_not_allow' ), 10, 4 );
     540        $this->assertFalse( $has_cap, 'Super admins should not have the do_not_allow capability' );
     541    }
     542
     543    public function grant_do_not_allow( $allcaps, $caps, $args, $user ) {
     544        $allcaps['do_not_allow'] = true;
     545        return $allcaps;
     546    }
     547
    497548    // special case for the link manager
    498549    function test_link_manager_caps() {
Note: See TracChangeset for help on using the changeset viewer.