X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/6c8f14c09105d0afa4c1574215c59b5021040e76..78ff9d91a14da1f53bd3f1ffcab1264d92359b72:/wp-admin/user-edit.php diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index eadc1f08..331fb9de 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -7,9 +7,9 @@ */ /** WordPress Administration Bootstrap */ -require_once('./admin.php'); +require_once( dirname( __FILE__ ) . '/admin.php' ); -wp_reset_vars(array('action', 'redirect', 'profile', 'user_id', 'wp_http_referer')); +wp_reset_vars( array( 'action', 'user_id', 'wp_http_referer' ) ); $user_id = (int) $user_id; $current_user = wp_get_current_user(); @@ -54,7 +54,7 @@ get_current_screen()->set_help_sidebar( '
' . __('Support Forums') . '
' ); -$wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer)); +$wp_http_referer = remove_query_arg(array('update', 'delete_count'), $wp_http_referer ); $user_can_edit = current_user_can( 'edit_posts' ) || current_user_can( 'edit_pages' ); @@ -74,9 +74,26 @@ function use_ssl_preference($user) { ID && ! apply_filters( 'enable_edit_any_user_configuration', true ) ) +/** + * Filter whether to allow administrators on Multisite to edit every user. + * + * Enabling the user editing form via this filter also hinges on the user holding + * the 'manage_network_users' cap, and the logged-in user not matching the user + * profile open for editing. + * + * The filter was introduced to replace the EDIT_ANY_USER constant. + * + * @since 3.0.0 + * + * @param bool $allow Whether to allow editing of any user. Default true. + */ +if ( is_multisite() + && ! current_user_can( 'manage_network_users' ) + && $user_id != $current_user->ID + && ! apply_filters( 'enable_edit_any_user_configuration', true ) +) { wp_die( __( 'You do not have permission to edit this user.' ) ); +} // Execute confirmed email change. See send_confirmation_on_profile_email(). if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) { @@ -106,10 +123,27 @@ check_admin_referer('update-user_' . $user_id); if ( !current_user_can('edit_user', $user_id) ) wp_die(__('You do not have permission to edit this user.')); -if ( IS_PROFILE_PAGE ) - do_action('personal_options_update', $user_id); -else - do_action('edit_user_profile_update', $user_id); +if ( IS_PROFILE_PAGE ) { + /** + * Fires before the page loads on the 'Your Profile' editing screen. + * + * The action only fires if the current user is editing their own profile. + * + * @since 2.0.0 + * + * @param int $user_id The user ID. + */ + do_action( 'personal_options_update', $user_id ); +} else { + /** + * Fires before the page loads on the 'Edit User' screen. + * + * @since 2.7.0 + * + * @param int $user_id The user ID. + */ + do_action( 'edit_user_profile_update', $user_id ); +} if ( !is_multisite() ) { $errors = edit_user($user_id); @@ -120,7 +154,7 @@ if ( !is_multisite() ) { if ( $user->user_login && isset( $_POST[ 'email' ] ) && is_email( $_POST[ 'email' ] ) && $wpdb->get_var( $wpdb->prepare( "SELECT user_login FROM {$wpdb->signups} WHERE user_login = %s", $user->user_login ) ) ) $wpdb->query( $wpdb->prepare( "UPDATE {$wpdb->signups} SET user_email = %s WHERE user_login = %s", $_POST[ 'email' ], $user_login ) ); - // WPMU must delete the user from the current blog if WP added him after editing. + // We must delete the user from the current blog if WP added them after editing. $delete_role = false; $blog_prefix = $wpdb->get_blog_prefix(); if ( $user_id != $current_user->ID ) { @@ -176,7 +210,6 @@ include (ABSPATH . 'wp-admin/admin-header.php');