From fda80bc7f690dc17bf67758a33114371ba43f330 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 21 Apr 2010 17:43:53 +0000 Subject: [PATCH] Separate user deletion and removal. Add promote_users cap so that multisite Admins (not supes) can promote. see #13074 git-svn-id: http://svn.automattic.com/wordpress/trunk@14176 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/schema.php | 1 + wp-admin/includes/template.php | 8 +- wp-admin/users.php | 137 +++++++++++++++++++++++++++------ wp-includes/capabilities.php | 3 + 4 files changed, 121 insertions(+), 28 deletions(-) diff --git a/wp-admin/includes/schema.php b/wp-admin/includes/schema.php index 662299651a..72f0818424 100644 --- a/wp-admin/includes/schema.php +++ b/wp-admin/includes/schema.php @@ -609,6 +609,7 @@ function populate_roles_300() { $role->add_cap( 'update_core' ); $role->add_cap( 'remove_users' ); $role->add_cap( 'add_users' ); + $role->add_cap( 'promote_users' ); $role->add_cap( 'edit_theme_options' ); } } diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index 491ceffb8e..851cc80121 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -1823,14 +1823,12 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) { $edit = "$user_object->user_login
"; // Set up the hover actions for this user - $del_cap_type = 'remove'; - if ( !is_multisite() && current_user_can('delete_users') ) - $del_cap_type = 'delete'; - $actions = array(); $actions['edit'] = '' . __('Edit') . ''; - if ( $current_user->ID != $user_object->ID && current_user_can( $del_cap_type . '_user', $user_object->ID ) ) + if ( !is_multisite() && $current_user->ID != $user_object->ID && current_user_can('delete_user', $user_object->ID) ) $actions['delete'] = "" . __('Delete') . ""; + if ( is_multisite() && $current_user->ID != $user_object->ID && current_user_can('remove_user', $user_object->ID) ) + $actions['remove'] = "" . __('Remove') . ""; $actions = apply_filters('user_row_actions', $actions, $user_object); $action_count = count($actions); $i = 0; diff --git a/wp-admin/users.php b/wp-admin/users.php index ac4b2fc7de..ee81f8ef8d 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -15,14 +15,6 @@ require_once( ABSPATH . WPINC . '/registration.php'); if ( !current_user_can('edit_users') ) wp_die(__('Cheatin’ uh?')); -if ( ! is_multisite() && current_user_can('delete_users') ) { - $del_cap_user = 'delete_user'; - $del_cap_users = 'delete_users'; -} else { - $del_cap_user = 'remove_user'; - $del_cap_users = 'remove_users'; -} - $title = __('Users'); $parent_file = 'users.php'; @@ -66,7 +58,7 @@ case 'promote': if ( ! current_user_can('edit_user', $id) ) wp_die(__('You can’t edit that user.')); // The new role of the current user must also have edit_users caps - if ( $id == $current_user->ID && !$wp_roles->role_objects[$_REQUEST['new_role']]->has_cap('edit_users') ) { + if ( $id == $current_user->ID && !$wp_roles->role_objects[$_REQUEST['new_role']]->has_cap('promote_users') ) { $update = 'err_admin_role'; continue; } @@ -81,6 +73,8 @@ case 'promote': break; case 'dodelete': + if ( is_multisite() ) + wp_die( __('User deletion is not allowed from this screen.') ); check_admin_referer('delete-users'); @@ -89,16 +83,16 @@ case 'dodelete': exit(); } - if ( ! current_user_can($del_cap_users ) ) - wp_die(__('You can’t remove users.')); + if ( ! current_user_can( 'delete_users' ) ) + wp_die(__('You can’t delete users.')); $userids = $_REQUEST['users']; $update = 'del'; $delete_count = 0; foreach ( (array) $userids as $id) { - if ( ! current_user_can( $del_cap_user, $id ) ) - wp_die(__( 'You can’t remove that user.' ) ); + if ( ! current_user_can( 'delete_user', $id ) ) + wp_die(__( 'You can’t delete that user.' ) ); if ( $id == $current_user->ID ) { $update = 'err_admin_del'; @@ -106,16 +100,11 @@ case 'dodelete': } switch ( $_REQUEST['delete_option'] ) { case 'delete': - if ( !is_multisite() && current_user_can('delete_user', $id) ) + if ( current_user_can('delete_user', $id) ) wp_delete_user($id); - else - remove_user_from_blog($id, $blog_id); // WPMU only remove user from blog - break; case 'reassign': - if ( !is_multisite() && current_user_can('delete_user', $id) ) + if ( current_user_can('delete_user', $id) ) wp_delete_user($id, $_REQUEST['reassign_user']); - else - remove_user_from_blog($id, $blog_id, $_REQUEST['reassign_user']); break; } ++$delete_count; @@ -128,7 +117,6 @@ case 'dodelete': break; case 'delete': - check_admin_referer('bulk-users'); if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) ) { @@ -136,7 +124,7 @@ case 'delete': exit(); } - if ( ! current_user_can( $del_cap_users ) ) + if ( ! current_user_can( 'delete_users' ) ) $errors = new WP_Error( 'edit_users', __( 'You can’t delete users.' ) ); if ( empty($_REQUEST['users']) ) @@ -167,6 +155,7 @@ case 'delete': $go_delete = true; } } + // @todo Delete is always for !is_multisite(). Use API. if ( !is_multisite() ) { $all_logins = $wpdb->get_results("SELECT ID, user_login FROM $wpdb->users ORDER BY user_login"); } else { @@ -199,6 +188,94 @@ case 'delete': break; +case 'doremove': + check_admin_referer('remove-users'); + + if ( empty($_REQUEST['users']) ) { + wp_redirect($redirect); + exit; + } + + if ( !current_user_can('remove_users') ) + die(__('You can’t remove users.')); + + $userids = $_REQUEST['users']; + + $update = 'remove'; + foreach ( $userids as $id ) { + $id = (int) $id; + if ( $id == $current_user->id && !is_super_admin() ) { + $update = 'err_admin_remove'; + continue; + } + if ( !current_user_can('delete_user', $id) ) { + $update = 'err_admin_remove'; + continue; + } + remove_user_from_blog($id, $blog_id); + } + + $redirect = add_query_arg( array('update' => $update), $redirect); + wp_redirect($redirect); + exit; + +break; + +case 'remove': + + check_admin_referer('bulk-users'); + + if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) ) { + wp_redirect($redirect); + exit(); + } + + if ( !current_user_can('remove_users') ) + $error = new WP_Error('edit_users', __('You can’t remove users.')); + + if ( empty($_REQUEST['users']) ) + $userids = array(intval($_REQUEST['user'])); + else + $userids = $_REQUEST['users']; + + include ('admin-header.php'); +?> +
+ + + +
+ +

+

+
    +id && !is_super_admin() ) { + echo "
  • " . sprintf(__('ID #%1s: %2s The current user will not be removed.'), $id, $user->user_login) . "
  • \n"; + } elseif ( !current_user_can('remove_user', $id) ) { + echo "
  • " . sprintf(__('ID #%1s: %2s You don\'t have permission to remove this user.'), $id, $user->user_login) . "
  • \n"; + } else { + echo "
  • " . sprintf(__('ID #%1s: %2s'), $id, $user->user_login) . "
  • \n"; + $go_remove = true; + } + } + ?> + + +

    + +

    + +
+
+

' . __('You can’t delete the current user.') . '

'; $messages[] = '

' . __('Other users have been deleted.') . '

'; break; + case 'remove': + $messages[] = '

' . __('User removed from this blog.') . '

'; + break; + case 'err_admin_remove': + $messages[] = '

' . __("You can't remove the current user.") . '

'; + $messages[] = '

' . __('Other users have been removed.') . '

'; + break; } endif; ?> @@ -323,7 +407,11 @@ unset($role_links);
@@ -392,8 +480,11 @@ foreach ( $wp_user_search->get_results() as $userid ) {
+ + +
diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php index 48aab2d358..af502a30c8 100644 --- a/wp-includes/capabilities.php +++ b/wp-includes/capabilities.php @@ -802,6 +802,9 @@ function map_meta_cap( $cap, $user_id ) { case 'delete_user': $caps[] = 'delete_users'; break; + case 'promote_user': + $caps[] = 'promote_users'; + break; case 'edit_user': if ( !isset( $args[0] ) || $user_id != $args[0] ) { $caps[] = 'edit_users';