WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#12793 closed enhancement (fixed)

User without 'delete_user' capability has a link to delete an user

Reported by: Horttcore Owned by:
Milestone: 3.0 Priority: low
Severity: trivial Version: 2.9.2
Component: Role/Capability Keywords: has-patch
Focuses: Cc:

Description

In WordPress backend on the users.php

If a user has the capability 'edit_user', he has a link 'delete user' even if he hasnt the capability 'delete_user'.

This Link should be hidden if the user has no delete capability.

Attachments (1)

12793.patch (1.0 KB) - added by ocean90 4 years ago.

Download all attachments as: .zip

Change History (7)

ocean904 years ago

comment:1 ocean904 years ago

  • Component changed from Users to Role/Capability
  • Keywords has-patch added; user capability delete users.php removed
  • Milestone changed from Future Release to 3.0

Patch added.

comment:2 wpmuguru4 years ago

(In [13931]) fix caps check on delete user link, props ocean90, see #12793

comment:3 nacin4 years ago

Hmm. remove_user is a primitive capability, not a meta cap, so it can't be used like this. That said, as far as I can tell, it *should* be a meta cap instead of a primitive cap (mapping directly to remove_users), which means we'd need to remove it from the schema.

comment:4 ocean904 years ago

nacin: i use the same function as we used it in users.php line 96

comment:5 nacin4 years ago

(In [13956]) Make remove_user a meta capability. see #12793

comment:6 nacin4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Think this one is good.

Note: See TracTickets for help on using tickets.