From 7b55c4688a0c48ceb68a1a082a4a84b5fdae4bdc Mon Sep 17 00:00:00 2001
From: nacin <nacin@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Fri, 2 Apr 2010 06:46:07 +0000
Subject: [PATCH] Move add/remove super admin out of bulk edit and into
 user-edit.php. Introduce grant_super_admin() and revoke_super_admin(). Link
 to profile.php in ms-users user row for current user. Add defensive check by
 forcing IS_PROFILE_PAGE on user-edit if trying to edit your own user_id. see
 #12460

git-svn-id: http://svn.automattic.com/wordpress/trunk@13941 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/ms.php | 38 +++++++++++++++++++++++++++
 wp-admin/ms-edit.php     | 28 +++-----------------
 wp-admin/ms-users.php    | 19 ++++----------
 wp-admin/user-edit.php   | 55 ++++++++++++++++++++++------------------
 4 files changed, 76 insertions(+), 64 deletions(-)

diff --git a/wp-admin/includes/ms.php b/wp-admin/includes/ms.php
index d0f71576c8..76180b5407 100644
--- a/wp-admin/includes/ms.php
+++ b/wp-admin/includes/ms.php
@@ -793,4 +793,42 @@ function _admin_notice_multisite_activate_plugins_page() {
 	echo "<div class='error'><p>$message</p></div>";
 }
 
+/**
+ * Grants super admin privileges.
+ *
+ * @since 3.0.0
+ * @param $user_id
+ */
+function grant_super_admin( $user_id ) {
+	$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
+
+	$user = new WP_User( $user_id );
+	if ( ! in_array( $user->user_login, $super_admins ) ) {
+		$super_admins[] = $user->user_login;
+		update_site_option( 'site_admins' , $super_admins );
+	}
+}
+
+/**
+ * Revokes super admin privileges.
+ *
+ * @since 3.0.0
+ * @param $user_id
+ */
+function revoke_super_admin( $user_id ) {
+	$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
+	$admin_email = get_site_option( 'admin_email' );
+	
+	$user = new WP_User( $user_id );
+	if ( $user->ID != $current_user->ID || $user->user_email != $admin_email ) {
+		foreach ( $super_admins as $key => $username ) {
+			if ( $username == $user->user_login ) {
+				unset( $super_admins[$key] );
+				break;
+			}
+		}
+	}
+
+	update_site_option( 'site_admins' , $super_admins );
+}
 ?>
diff --git a/wp-admin/ms-edit.php b/wp-admin/ms-edit.php
index 9147649789..3780a8db61 100644
--- a/wp-admin/ms-edit.php
+++ b/wp-admin/ms-edit.php
@@ -524,7 +524,7 @@ switch ( $_GET['action'] ) {
 				$doaction = $_POST['action'] != -1 ? $_POST['action'] : $_POST['action2'];
 
 			foreach ( (array) $_POST['allusers'] as $key => $val ) {
-				if ( $val != '' || $val != '0' ) {
+				if ( !empty( $val ) ) {
 					switch ( $doaction ) {
 						case 'delete':
 							$title = __( 'Users' ); 
@@ -539,34 +539,12 @@ switch ( $_GET['action'] ) {
 
 						case 'superadmin':
 							$userfunction = 'add_superadmin';
-							$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
-
-							$user = new WP_User( $val );
-							if ( ! in_array( $user->user_login, $super_admins ) ) {
-								if ( $current_site->blog_id )
-									add_user_to_blog( $current_site->blog_id, $user->ID, 'administrator' );
-
-								$super_admins[] = $user->user_login;
-								update_site_option( 'site_admins' , $super_admins );
-							}
+							grant_super_admin( $val );
 						break;
 
 						case 'notsuperadmin':
 							$userfunction = 'remove_superadmin';
-							$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
-							$admin_email = get_site_option( 'admin_email' );
-							
-							$user = new WP_User( $val );
-							if ( $user->ID != $current_user->ID || $user->user_email != $admin_email ) {
-								foreach ( $super_admins as $key => $username ) {
-									if ( $username == $user->user_login ) {
-										unset( $super_admins[$key] );
-										break;
-									}
-								}
-							}
-
-							update_site_option( 'site_admins' , $super_admins );
+							revoke_super_admin( $val );
 						break;
 
 						case 'spam':
diff --git a/wp-admin/ms-users.php b/wp-admin/ms-users.php
index fec04054b7..6ea7d4c361 100644
--- a/wp-admin/ms-users.php
+++ b/wp-admin/ms-users.php
@@ -34,12 +34,6 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
 			case 'add':
 				_e( 'User added.' );
 			break;
-			case 'add_superadmin':
-				_e( 'Network admin added.' );
-			break;
-			case 'remove_superadmin':
-				_e( 'Network admin removed.' );
-			break;
 		}
 		?>
 	</p></div>
@@ -128,10 +122,8 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
 				<select name="action">
 					<option value="-1" selected="selected"><?php _e( 'Bulk Actions' ); ?></option>
 					<option value="delete"><?php _e( 'Delete' ); ?></option>
-					<option value="spam"><?php _e( 'Mark as Spammers' ); ?></option>
+					<option value="spam"><?php _e( 'Mark as Spam' ); ?></option>
 					<option value="notspam"><?php _e( 'Not Spam' ); ?></option>
-					<option value="superadmin"><?php _e( 'Add Super Admins' ); ?></option>
-					<option value="notsuperadmin"><?php _e( 'Remove Super Admins' ); ?></option>
 				</select>
 				<input type="submit" value="<?php esc_attr_e( 'Apply' ); ?>" name="doaction" id="doaction" class="button-secondary action" />
 				<?php wp_nonce_field( 'bulk-ms-users' ); ?>
@@ -227,15 +219,16 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
 
 							case 'login':
 								$avatar	= get_avatar( $user['user_email'], 32 );
+								$edit_link = ( $current_user->ID == $user['ID'] ) ? 'profile.php' : 'user-edit.php?user_id=' . $user['ID'];
 								?>
 								<td class="username column-username">
-									<?php echo $avatar; ?><strong><a href="<?php echo esc_url( admin_url( 'user-edit.php?user_id=' . $user['ID'] ) ); ?>" class="edit"><?php echo stripslashes( $user['user_login'] ); ?></a><?php
+									<?php echo $avatar; ?><strong><a href="<?php echo esc_url( admin_url( $edit_link ) ); ?>" class="edit"><?php echo stripslashes( $user['user_login'] ); ?></a><?php
 									if ( in_array( $user['user_login'], $super_admins ) )
 										echo ' - ' . __( 'Super admin' );
 									?></strong>
 									<br/>
 									<div class="row-actions">
-										<span class="edit"><a href="<?php echo esc_url( admin_url( 'user-edit.php?user_id=' . $user['ID'] ) ); ?>"><?php _e( 'Edit'); ?></a></span>
+										<span class="edit"><a href="<?php echo esc_url( admin_url( $edit_link ) ); ?>"><?php _e( 'Edit' ); ?></a></span>
 										<?php if ( ! in_array( $user['user_login'], $super_admins ) ) { ?>
 										| <span class="delete"><a href="<?php echo $delete	= esc_url( admin_url( add_query_arg( '_wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), wp_nonce_url( 'ms-edit.php', 'deleteuser' ) . '&amp;action=deleteuser&amp;id=' . $user['ID'] ) ) ); ?>" class="delete"><?php _e( 'Delete' ); ?></a></span>
 										<?php } ?>
@@ -323,10 +316,8 @@ if ( isset( $_GET['updated'] ) && $_GET['updated'] == 'true' && ! empty( $_GET['
 				<select name="action2">
 					<option value="-1" selected="selected"><?php _e( 'Bulk Actions' ); ?></option>
 					<option value="delete"><?php _e( 'Delete' ); ?></option>
-					<option value="spam"><?php _e( 'Mark as Spammers' ); ?></option>
+					<option value="spam"><?php _e( 'Mark as Spam' ); ?></option>
 					<option value="notspam"><?php _e( 'Not Spam' ); ?></option>
-					<option value="superadmin"><?php _e( 'Add Super Admins' ); ?></option>
-					<option value="notsuperadmin"><?php _e( 'Remove Super Admins' ); ?></option>
 				</select>
 				<input type="submit" value="<?php esc_attr_e( 'Apply' ); ?>" name="doaction2" id="doaction2" class="button-secondary action" />
 			</div>
diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php
index b2acbb2a29..37f5d289dc 100644
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@@ -9,8 +9,19 @@
 /** WordPress Administration Bootstrap */
 require_once('admin.php');
 
-if ( !defined('IS_PROFILE_PAGE') )
-	define('IS_PROFILE_PAGE', false);
+wp_reset_vars(array('action', 'redirect', 'profile', 'user_id', 'wp_http_referer'));
+
+$user_id = (int) $user_id;
+$current_user = wp_get_current_user();
+if ( ! defined( 'IS_PROFILE_PAGE' ) )
+	define( 'IS_PROFILE_PAGE', ( $user_id == $current_user->ID ) );
+
+if ( ! $user_id && IS_PROFILE_PAGE )
+	$user_id = $current_user->ID;
+elseif ( ! $user_id && ! IS_PROFILE_PAGE )
+	wp_die(__( 'Invalid user ID.' ) );
+elseif ( ! get_userdata( $user_id ) )
+	wp_die( __('Invalid user ID.') );
 
 wp_enqueue_script('user-profile');
 wp_enqueue_script('password-strength-meter');
@@ -22,23 +33,8 @@ else
 	$submenu_file = 'profile.php';
 $parent_file = 'users.php';
 
-wp_reset_vars(array('action', 'redirect', 'profile', 'user_id', 'wp_http_referer'));
-
 $wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer));
 
-$user_id = (int) $user_id;
-
-if ( !$user_id ) {
-	if ( IS_PROFILE_PAGE ) {
-		$current_user = wp_get_current_user();
-		$user_id = $current_user->ID;
-	} else {
-		wp_die(__('Invalid user ID.'));
-	}
-} elseif ( !get_userdata($user_id) ) {
-	wp_die( __('Invalid user ID.') );
-}
-
 $all_post_caps = array('posts', 'pages');
 $user_can_edit = false;
 foreach ( $all_post_caps as $post_cap )
@@ -123,7 +119,10 @@ if ( !is_multisite() ) {
 	if ( !isset( $errors ) || ( isset( $errors ) && is_object( $errors ) && false == $errors->get_error_codes() ) )
 		$errors = edit_user($user_id);
 	if ( $delete_role ) // stops users being added to current blog when they are edited
-		update_user_meta( $user_id, $blog_prefix . 'capabilities' , '' );
+		delete_user_meta( $user_id, $blog_prefix . 'capabilities' );
+
+	if ( is_multisite() && is_super_admin() && !IS_PROFILE_PAGE )
+		empty( $_POST['super_admin'] ) ? revoke_super_admin( $user_id ) : grant_super_admin( $user_id );
 }
 
 if ( !is_wp_error( $errors ) ) {
@@ -142,6 +141,9 @@ if ( !current_user_can('edit_user', $user_id) )
 include ('admin-header.php');
 ?>
 
+<?php if ( !IS_PROFILE_PAGE && is_super_admin( $profileuser->ID ) ) { ?>
+	<div class="updated"><p><strong><?php _e('Important:'); ?></strong> <?php _e('This user has super admin privileges.'); ?></p></div>
+<?php } ?>
 <?php if ( isset($_GET['updated']) ) : ?>
 <div id="message" class="updated">
 	<p><strong><?php _e('User updated.') ?></strong></p>
@@ -165,7 +167,7 @@ include ('admin-header.php');
 <?php screen_icon(); ?>
 <h2><?php echo esc_html( $title ); ?></h2>
 
-<form id="your-profile" action="<?php if ( IS_PROFILE_PAGE ) { echo admin_url('profile.php'); } else { echo admin_url('user-edit.php'); } ?>" method="post">
+<form id="your-profile" action="<?php echo esc_url( admin_url( IS_PROFILE_PAGE ? 'profile.php' : 'user-edit.php' ) ); ?>" method="post">
 <?php wp_nonce_field('update-user_' . $user_id) ?>
 <?php if ( $wp_http_referer ) : ?>
 	<input type="hidden" name="wp_http_referer" value="<?php echo esc_url($wp_http_referer); ?>" />
@@ -232,7 +234,11 @@ if ( $user_role )
 else
 	echo '<option value="" selected="selected">' . __('&mdash; No role for this blog &mdash;') . '</option>';
 ?>
-</select></td></tr>
+</select>
+<?php if ( is_multisite() && is_super_admin() ) { ?>
+<p><label><input type="checkbox" id="super_admin" name="super_admin"<?php checked( is_super_admin( $profileuser->ID ) ); ?> /> <?php _e( 'Grant this user super admin privileges for the Network.'); ?></label></p>
+<?php } ?>
+</td></tr>
 <?php endif; //!IS_PROFILE_PAGE ?>
 
 <tr>
@@ -331,11 +337,10 @@ if ( $show_password_fields ) :
 </table>
 
 <?php
-	if ( IS_PROFILE_PAGE ) {
-		do_action('show_user_profile', $profileuser);
-	} else {
-		do_action('edit_user_profile', $profileuser);
-	}
+	if ( IS_PROFILE_PAGE )
+		do_action( 'show_user_profile', $profileuser );
+	else
+		do_action( 'edit_user_profile', $profileuser );
 ?>
 
 <?php if ( count($profileuser->caps) > count($profileuser->roles) && apply_filters('additional_capabilities_display', true, $profileuser) ) { ?>