Users without capability "create_users" can add new users
|Reported by:||imwebgefunden||Owned by:|
If a user has the capability "edit_users" and not the capability "create_users" he can add new users.
The defect is in admin-ajax.php. The check is against "edit_users" and not "create_users". I've attached a patch to fix this issue.
A second one - more an AddOn and not an defect: We should show the add user form only if the current user has the capability to add a new user. If the current user has the capability "create_users" the form will be shown. The second patch I attached make this job.