Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#12793 closed enhancement (fixed)

User without 'delete_user' capability has a link to delete an user

Reported by: Horttcore Owned by:
Milestone: 3.0 Priority: low
Severity: trivial Version: 2.9.2
Component: Role/Capability Keywords: has-patch
Focuses: Cc:


In WordPress backend on the users.php

If a user has the capability 'edit_user', he has a link 'delete user' even if he hasnt the capability 'delete_user'.

This Link should be hidden if the user has no delete capability.

Attachments (1)

12793.patch (1.0 KB) - added by ocean90 6 years ago.

Download all attachments as: .zip

Change History (7)

6 years ago

#1 @ocean90
6 years ago

  • Component changed from Users to Role/Capability
  • Keywords has-patch added; user capability delete users.php removed
  • Milestone changed from Future Release to 3.0

Patch added.

#2 @wpmuguru
6 years ago

(In [13931]) fix caps check on delete user link, props ocean90, see #12793

#3 @nacin
6 years ago

Hmm. remove_user is a primitive capability, not a meta cap, so it can't be used like this. That said, as far as I can tell, it *should* be a meta cap instead of a primitive cap (mapping directly to remove_users), which means we'd need to remove it from the schema.

#4 @ocean90
6 years ago

nacin: i use the same function as we used it in users.php line 96

#5 @nacin
6 years ago

(In [13956]) Make remove_user a meta capability. see #12793

#6 @nacin
6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Think this one is good.

Note: See TracTickets for help on using tickets.