WordPress.org

Make WordPress Core

Changeset 41268


Ignore:
Timestamp:
08/18/2017 06:30:28 PM (2 years ago)
Author:
flixos90
Message:

Role/Capability: Introduce capabilities dedicated to installing and updating language files.

The new meta capabilities are called install_languages and update_languages. Prior to this change, there were no proper capability checks applied. Instead only the filesystem and related constants were checked, and for actual permissions a rather vague fallback was used where a user needed to have at least one of the other updating capabilities. In addition to being generally more verbose, the new capabilities make it possible for example to allow a user to update languages, but nothing else. By default they fall back to the original way of how they were handled.

Props johnbillion, flixos90.
Fixes #39677.

Location:
trunk
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/menu.php

    r40390 r41268  
    3434
    3535if ( ! is_multisite() ) {
    36     if ( current_user_can( 'update_core' ) )
     36    if ( current_user_can( 'update_core' ) ) {
    3737        $cap = 'update_core';
    38     elseif ( current_user_can( 'update_plugins' ) )
     38    } elseif ( current_user_can( 'update_plugins' ) ) {
    3939        $cap = 'update_plugins';
    40     else
     40    } elseif ( current_user_can( 'update_themes' ) ) {
    4141        $cap = 'update_themes';
     42    } else {
     43        $cap = 'update_languages';
     44    }
    4245    $submenu[ 'index.php' ][10] = array( sprintf( __('Updates %s'), "<span class='update-plugins count-{$update_data['counts']['total']}'><span class='update-count'>" . number_format_i18n($update_data['counts']['total']) . "</span></span>" ), $cap, 'update-core.php');
    4346    unset( $cap );
  • trunk/src/wp-admin/network/settings.php

    r41200 r41268  
    6464
    6565    // Handle translation install.
    66     if ( ! empty( $_POST['WPLANG'] ) && wp_can_install_language_pack() ) {  // @todo: Skip if already installed
     66    if ( ! empty( $_POST['WPLANG'] ) && current_user_can( 'install_languages' ) ) {
    6767        $language = wp_download_language_pack( $_POST['WPLANG'] );
    6868        if ( $language ) {
     
    343343                            'languages'    => $languages,
    344344                            'translations' => $translations,
    345                             'show_available_translations' => wp_can_install_language_pack(),
     345                            'show_available_translations' => current_user_can( 'install_languages' ),
    346346                        ) );
    347347                        ?>
  • trunk/src/wp-admin/network/site-new.php

    r41064 r41268  
    6767        if ( '' === $_POST['WPLANG'] ) {
    6868            $meta['WPLANG'] = ''; // en_US
    69         } elseif ( wp_can_install_language_pack() ) {
     69        } elseif ( in_array( $_POST['WPLANG'], get_available_languages() ) ) {
     70            $meta['WPLANG'] = $_POST['WPLANG'];
     71        } elseif ( current_user_can( 'install_languages' ) ) {
    7072            $language = wp_download_language_pack( wp_unslash( $_POST['WPLANG'] ) );
    7173            if ( $language ) {
     
    235237                        'languages'                   => $languages,
    236238                        'translations'                => $translations,
    237                         'show_available_translations' => wp_can_install_language_pack(),
     239                        'show_available_translations' => current_user_can( 'install_languages' ),
    238240                    ) );
    239241                    ?>
  • trunk/src/wp-admin/options-general.php

    r41254 r41268  
    152152                'languages'    => $languages,
    153153                'translations' => $translations,
    154                 'show_available_translations' => ( ! is_multisite() || is_super_admin() ) && wp_can_install_language_pack(),
     154                'show_available_translations' => current_user_can( 'install_languages' ),
    155155            ) );
    156156
  • trunk/src/wp-admin/options.php

    r41254 r41268  
    178178
    179179        // Handle translation install.
    180         if ( ! empty( $_POST['WPLANG'] ) && ( ! is_multisite() || is_super_admin() ) ) { // @todo: Skip if already installed
     180        if ( ! empty( $_POST['WPLANG'] ) && current_user_can( 'install_languages' ) ) {
    181181            require_once( ABSPATH . 'wp-admin/includes/translation-install.php' );
    182182
    183             if ( wp_can_install_language_pack() ) {
    184                 $language = wp_download_language_pack( $_POST['WPLANG'] );
    185                 if ( $language ) {
    186                     $_POST['WPLANG'] = $language;
    187                 }
     183            $language = wp_download_language_pack( $_POST['WPLANG'] );
     184            if ( $language ) {
     185                $_POST['WPLANG'] = $language;
    188186            }
    189187        }
  • trunk/src/wp-admin/update-core.php

    r39808 r41268  
    2020}
    2121
    22 if ( ! current_user_can( 'update_core' ) && ! current_user_can( 'update_themes' ) && ! current_user_can( 'update_plugins' ) )
     22if ( ! current_user_can( 'update_core' ) && ! current_user_can( 'update_themes' ) && ! current_user_can( 'update_plugins' ) && ! current_user_can( 'update_languages' ) )
    2323    wp_die( __( 'Sorry, you are not allowed to update this site.' ) );
    2424
     
    609609    echo '</p>';
    610610
    611     if ( $core = current_user_can( 'update_core' ) )
     611    if ( current_user_can( 'update_core' ) ) {
    612612        core_upgrade_preamble();
    613     if ( $plugins = current_user_can( 'update_plugins' ) )
     613    }
     614    if ( current_user_can( 'update_plugins' ) ) {
    614615        list_plugin_updates();
    615     if ( $themes = current_user_can( 'update_themes' ) )
     616    }
     617    if ( current_user_can( 'update_themes' ) ) {
    616618        list_theme_updates();
    617     if ( $core || $plugins || $themes )
     619    }
     620    if ( current_user_can( 'update_languages' ) ) {
    618621        list_translation_updates();
    619     unset( $core, $plugins, $themes );
     622    }
     623
    620624    /**
    621625     * Fires after the core, plugin, and theme update tables.
     
    730734} elseif ( 'do-translation-upgrade' == $action ) {
    731735
    732     if ( ! current_user_can( 'update_core' ) && ! current_user_can( 'update_plugins' ) && ! current_user_can( 'update_themes' ) )
     736    if ( ! current_user_can( 'update_languages' ) )
    733737        wp_die( __( 'Sorry, you are not allowed to update this site.' ) );
    734738
  • trunk/src/wp-includes/capabilities.php

    r40999 r41268  
    393393        }
    394394        break;
     395    case 'install_languages':
     396    case 'update_languages':
     397        if ( ! function_exists( 'wp_can_install_language_pack' ) ) {
     398            require_once( ABSPATH . 'wp-admin/includes/translation-install.php' );
     399        }
     400
     401        if ( ! wp_can_install_language_pack() ) {
     402            $caps[] = 'do_not_allow';
     403        } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
     404            $caps[] = 'do_not_allow';
     405        } else {
     406            $caps[] = 'install_languages';
     407        }
     408        break;
    395409    case 'activate_plugins':
    396410        $caps[] = $cap;
     
    827841    return false;
    828842}
     843
     844/**
     845 * Filters the user capabilities to grant the 'install_languages' capability as necessary.
     846 *
     847 * A user must have at least one out of the 'update_core', 'install_plugins', and
     848 * 'install_themes' capabilities to qualify for 'install_languages'.
     849 *
     850 * @since 4.9.0
     851 *
     852 * @param array $allcaps An array of all the user's capabilities.
     853 * @return array Filtered array of the user's capabilities.
     854 */
     855function wp_maybe_grant_install_languages_cap( $allcaps ) {
     856    if ( ! empty( $allcaps['update_core'] ) || ! empty( $allcaps['install_plugins'] ) || ! empty( $allcaps['install_themes'] ) ) {
     857        $allcaps['install_languages'] = true;
     858    }
     859
     860    return $allcaps;
     861}
  • trunk/src/wp-includes/default-filters.php

    r41237 r41268  
    513513add_filter( 'pre_oembed_result',      'wp_filter_pre_oembed_result',    10, 3 );
    514514
     515// Capabilities
     516add_filter( 'user_has_cap', 'wp_maybe_grant_install_languages_cap', 1 );
     517
    515518unset( $filter, $action );
  • trunk/tests/phpunit/tests/user/capabilities.php

    r40999 r41268  
    234234            'customize'              => array( 'administrator' ),
    235235            'add_users'              => array( 'administrator' ),
     236            'install_languages'      => array( 'administrator' ),
     237            'update_languages'       => array( 'administrator' ),
    236238
    237239            'edit_categories'        => array( 'administrator', 'editor' ),
     
    262264            'edit_css'               => array(),
    263265            'upgrade_network'        => array(),
     266            'install_languages'      => array(),
     267            'update_languages'       => array(),
    264268
    265269            'customize'              => array( 'administrator' ),
Note: See TracChangeset for help on using the changeset viewer.