Opened 14 years ago
Closed 14 years ago
#13074 closed defect (bug) (fixed)
Distinguish between user deletion and removal in users.php
Reported by: | ryan | Owned by: | |
---|---|---|---|
Milestone: | 3.0 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Users | Keywords: | has-patch |
Focuses: | Cc: |
Description
users.php makes it possible for a super admin to accidentally delete a user when removing the user from the blog is intended. These two actions should be separated.
Attachments (3)
Change History (13)
#5
@
14 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening per IRC discussion. A bit more to do to fully implement list_users.
#7
follow-up:
↓ 8
@
14 years ago
- Keywords has-patch added
I just noticed that an adminstrator was unable to edit a user...
According to capabilities.php:
case 'edit_user': // Allow user to edit itself if ( isset( $args[0] ) && $user_id == $args[0] ) break; // Fall through case 'edit_users': // If multisite these caps are allowed only for super admins. if ( is_multisite() && !is_super_admin() ) $caps[] = 'do_not_allow'; else $caps[] = $cap; break;
I changed code to link the username if "edit_users" cap check passes... "edit_user" was only allowing edit for self.
I haven't tested the effect of this on MultiSite, FYI.
#8
in reply to:
↑ 7
@
14 years ago
@layotte, I was just about to submit a ticket concerning this exact issue.
I believe the line;
$caps[] = $cap;
should in fact be;
$caps[] = 'edit_users';
The problem lies in having skipped the break
from the 'edit_user' block, hence falling through to the 'edit_users' block, but then failing the if
in the 'edit_users' block, thereby adding a non-existent(?) cap 'edit_user' (note singular) to the $caps
array.
(In [14178]) Add multisite check on delete. Check promote_user cap. see #13074