From 80d13281ed2bed0745288dcd7ff0ab2728cba1a9 Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremy.felt@gmail.com>
Date: Sat, 7 Mar 2015 06:00:28 +0000
Subject: [PATCH] Return HTTP status code 403 in network admin when access is
 forbidden.

When the error message "You do not have permission to access this page" is used in network admin screens, return an HTTP status code of 403 to match. Previously: [30356] and [31300].

Props yo-l1982.

Fixes #31422.

Built from https://develop.svn.wordpress.org/trunk@31658


git-svn-id: http://core.svn.wordpress.org/trunk@31639 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/network/index.php         |  2 +-
 wp-admin/network/settings.php      |  2 +-
 wp-admin/network/site-info.php     |  2 +-
 wp-admin/network/site-settings.php |  2 +-
 wp-admin/network/site-themes.php   |  2 +-
 wp-admin/network/site-users.php    |  2 +-
 wp-admin/network/sites.php         |  4 ++--
 wp-admin/network/upgrade.php       |  2 +-
 wp-admin/network/user-new.php      |  2 +-
 wp-admin/network/users.php         | 10 +++++-----
 wp-includes/version.php            |  2 +-
 11 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/wp-admin/network/index.php b/wp-admin/network/index.php
index bd6437e7f0..0aff27078c 100644
--- a/wp-admin/network/index.php
+++ b/wp-admin/network/index.php
@@ -17,7 +17,7 @@ if ( !is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
 if ( ! current_user_can( 'manage_network' ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 $title = __( 'Dashboard' );
 $parent_file = 'index.php';
diff --git a/wp-admin/network/settings.php b/wp-admin/network/settings.php
index 843c2687ea..f5bd31d8fd 100644
--- a/wp-admin/network/settings.php
+++ b/wp-admin/network/settings.php
@@ -17,7 +17,7 @@ if ( ! is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
 if ( ! current_user_can( 'manage_network_options' ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 $title = __( 'Network Settings' );
 $parent_file = 'settings.php';
diff --git a/wp-admin/network/site-info.php b/wp-admin/network/site-info.php
index ac19941b64..9c0e9d5b4c 100644
--- a/wp-admin/network/site-info.php
+++ b/wp-admin/network/site-info.php
@@ -40,7 +40,7 @@ if ( ! $id )
 
 $details = get_blog_details( $id );
 if ( !can_edit_network( $details->site_id ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 $parsed = parse_url( $details->siteurl );
 $is_main_site = is_main_site( $id );
diff --git a/wp-admin/network/site-settings.php b/wp-admin/network/site-settings.php
index d232ea69c9..828cebfb93 100644
--- a/wp-admin/network/site-settings.php
+++ b/wp-admin/network/site-settings.php
@@ -40,7 +40,7 @@ if ( ! $id )
 
 $details = get_blog_details( $id );
 if ( !can_edit_network( $details->site_id ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 $is_main_site = is_main_site( $id );
 
diff --git a/wp-admin/network/site-themes.php b/wp-admin/network/site-themes.php
index cb4a63ab9b..36c2515554 100644
--- a/wp-admin/network/site-themes.php
+++ b/wp-admin/network/site-themes.php
@@ -57,7 +57,7 @@ $wp_list_table->prepare_items();
 
 $details = get_blog_details( $id );
 if ( !can_edit_network( $details->site_id ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 $is_main_site = is_main_site( $id );
 
diff --git a/wp-admin/network/site-users.php b/wp-admin/network/site-users.php
index ed46321f96..5c1dc5bcf4 100644
--- a/wp-admin/network/site-users.php
+++ b/wp-admin/network/site-users.php
@@ -50,7 +50,7 @@ if ( ! $id )
 
 $details = get_blog_details( $id );
 if ( ! can_edit_network( $details->site_id ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 $is_main_site = is_main_site( $id );
 
diff --git a/wp-admin/network/sites.php b/wp-admin/network/sites.php
index 7fc174844d..8feaf45e40 100644
--- a/wp-admin/network/sites.php
+++ b/wp-admin/network/sites.php
@@ -14,7 +14,7 @@ if ( ! is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
 if ( ! current_user_can( 'manage_sites' ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 $wp_list_table = _get_list_table( 'WP_MS_Sites_List_Table' );
 $pagenum = $wp_list_table->get_pagenum();
@@ -97,7 +97,7 @@ if ( isset( $_GET['action'] ) ) {
 
 		case 'deleteblog':
 			if ( ! current_user_can( 'delete_sites' ) )
-				wp_die( __( 'You do not have permission to access this page.' ) );
+				wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 			$updated_action = 'not_deleted';
 			if ( $id != '0' && $id != $current_site->blog_id && current_user_can( 'delete_site', $id ) ) {
diff --git a/wp-admin/network/upgrade.php b/wp-admin/network/upgrade.php
index dcca3deb41..5bb997dd39 100644
--- a/wp-admin/network/upgrade.php
+++ b/wp-admin/network/upgrade.php
@@ -36,7 +36,7 @@ get_current_screen()->set_help_sidebar(
 require_once( ABSPATH . 'wp-admin/admin-header.php' );
 
 if ( ! current_user_can( 'manage_network' ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 echo '<div class="wrap">';
 echo '<h2>' . __( 'Upgrade Network' ) . '</h2>';
diff --git a/wp-admin/network/user-new.php b/wp-admin/network/user-new.php
index 225a2069dd..3141b773be 100644
--- a/wp-admin/network/user-new.php
+++ b/wp-admin/network/user-new.php
@@ -33,7 +33,7 @@ get_current_screen()->set_help_sidebar(
 if ( isset($_REQUEST['action']) && 'add-user' == $_REQUEST['action'] ) {
 	check_admin_referer( 'add-user', '_wpnonce_add-user' );
 	if ( ! current_user_can( 'manage_network_users' ) )
-		wp_die( __( 'You do not have permission to access this page.' ) );
+		wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 	if ( ! is_array( $_POST['user'] ) )
 		wp_die( __( 'Cannot create an empty user.' ) );
diff --git a/wp-admin/network/users.php b/wp-admin/network/users.php
index 650c3ca089..f75c35a0f3 100644
--- a/wp-admin/network/users.php
+++ b/wp-admin/network/users.php
@@ -14,7 +14,7 @@ if ( ! is_multisite() )
 	wp_die( __( 'Multisite support is not enabled.' ) );
 
 if ( ! current_user_can( 'manage_network_users' ) )
-	wp_die( __( 'You do not have permission to access this page.' ) );
+	wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 function confirm_delete_users( $users ) {
 	$current_user = wp_get_current_user();
@@ -123,7 +123,7 @@ if ( isset( $_GET['action'] ) ) {
 	switch ( $_GET['action'] ) {
 		case 'deleteuser':
 			if ( ! current_user_can( 'manage_network_users' ) )
-				wp_die( __( 'You do not have permission to access this page.' ) );
+				wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 			check_admin_referer( 'deleteuser' );
 
@@ -144,7 +144,7 @@ if ( isset( $_GET['action'] ) ) {
 
 		case 'allusers':
 			if ( !current_user_can( 'manage_network_users' ) )
-				wp_die( __( 'You do not have permission to access this page.' ) );
+				wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 			if ( ( isset( $_POST['action']) || isset($_POST['action2'] ) ) && isset( $_POST['allusers'] ) ) {
 				check_admin_referer( 'bulk-users-network' );
@@ -157,7 +157,7 @@ if ( isset( $_GET['action'] ) ) {
 						switch ( $doaction ) {
 							case 'delete':
 								if ( ! current_user_can( 'delete_users' ) )
-									wp_die( __( 'You do not have permission to access this page.' ) );
+									wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 								$title = __( 'Users' );
 								$parent_file = 'users.php';
 								require_once( ABSPATH . 'wp-admin/admin-header.php' );
@@ -206,7 +206,7 @@ if ( isset( $_GET['action'] ) ) {
 		case 'dodelete':
 			check_admin_referer( 'ms-users-delete' );
 			if ( ! ( current_user_can( 'manage_network_users' ) && current_user_can( 'delete_users' ) ) )
-				wp_die( __( 'You do not have permission to access this page.' ) );
+				wp_die( __( 'You do not have permission to access this page.' ), '', array( 'response' => 403 ) );
 
 			if ( ! empty( $_POST['blog'] ) && is_array( $_POST['blog'] ) ) {
 				foreach ( $_POST['blog'] as $id => $users ) {
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 17ca08ac3f..0df29478f1 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '4.2-alpha-31657';
+$wp_version = '4.2-alpha-31658';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.