Explicitly set the capability required in edit_users map_meta_cap branch, so we don't accidentally pass edit_user. props TheDeadMedic. fixes #13074, fixes #13137

git-svn-id: http://svn.automattic.com/wordpress/trunk@14256 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2010-04-27 20:39:39 +00:00
parent 9d7ec92745
commit d5f61d9db3

View File

@ -782,8 +782,8 @@ class WP_User {
* *
* This does not actually compare whether the user ID has the actual capability, * This does not actually compare whether the user ID has the actual capability,
* just what the capability or capabilities are. Meta capability list value can * just what the capability or capabilities are. Meta capability list value can
* be 'delete_user', 'edit_user', 'delete_post', 'delete_page', 'edit_post', * be 'delete_user', 'edit_user', 'remove_user', 'promote_user', 'delete_post',
* 'edit_page', 'read_post', or 'read_page'. * 'delete_page', 'edit_post', 'edit_page', 'read_post', or 'read_page'.
* *
* @since 2.0.0 * @since 2.0.0
* *
@ -815,7 +815,7 @@ function map_meta_cap( $cap, $user_id ) {
if ( is_multisite() && !is_super_admin() ) if ( is_multisite() && !is_super_admin() )
$caps[] = 'do_not_allow'; $caps[] = 'do_not_allow';
else else
$caps[] = $cap; $caps[] = 'edit_users'; // Explicit due to primitive fall through
break; break;
case 'delete_post': case 'delete_post':
$author_data = get_userdata( $user_id ); $author_data = get_userdata( $user_id );