From 2b25a87d1b98c4246f8373ca730448f80dfac99e Mon Sep 17 00:00:00 2001
From: Peter Wilson <wilson@peterwilson.cc>
Date: Sun, 2 Jul 2017 05:16:45 +0000
Subject: [PATCH] Capabilities: Prevent users having the `do_not_allow`
 capability.

Meta capabilities use the capability `do_not_allow` to indicate a user should be blocked from performing a particular action. This ensures users can not have the capability as it would cause unexpected behaviour.

Props johnbillion.
Fixes #41059.


Built from https://develop.svn.wordpress.org/trunk@40993


git-svn-id: http://core.svn.wordpress.org/trunk@40843 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-user.php | 3 +++
 wp-includes/version.php       | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/wp-includes/class-wp-user.php b/wp-includes/class-wp-user.php
index 0b0bb1023a..7cf311dbad 100644
--- a/wp-includes/class-wp-user.php
+++ b/wp-includes/class-wp-user.php
@@ -748,6 +748,9 @@ class WP_User {
 		// Everyone is allowed to exist.
 		$capabilities['exist'] = true;
 
+		// Nobody is allowed to do things they are not allowed to do.
+		unset( $capabilities['do_not_allow'] );
+
 		// Must have ALL requested caps.
 		foreach ( (array) $caps as $cap ) {
 			if ( empty( $capabilities[ $cap ] ) )
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 5a1e1dd7e9..56990d6c4f 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.9-alpha-40992';
+$wp_version = '4.9-alpha-40993';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.