X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/ff81ee6e8304a1982a3ec4f5b134764a29d502cf..refs/tags/wordpress-2.6.2:/wp-admin/users.php diff --git a/wp-admin/users.php b/wp-admin/users.php index ab555323..f032e413 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -1,126 +1,159 @@ '; +} elseif ( isset($_REQUEST['wp_http_referer']) ) { + $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer'])); + $referer = ''; +} else { + $redirect = 'users.php'; +} + switch ($action) { case 'promote': - check_admin_referer(); + check_admin_referer('bulk-users'); - if (empty($_POST['users'])) { - header('Location: users.php'); + if (empty($_REQUEST['users'])) { + wp_redirect($redirect); + exit(); } if ( !current_user_can('edit_users') ) - die(__('You can’t edit users.')); + wp_die(__('You can’t edit users.')); - $userids = $_POST['users']; + $userids = $_REQUEST['users']; $update = 'promote'; - foreach($userids as $id) { + foreach($userids as $id) { + if ( ! current_user_can('edit_user', $id) ) + wp_die(__('You can’t edit that user.')); // The new role of the current user must also have edit_users caps - if($id == $current_user->id && !$wp_roles->role_objects[$_POST['new_role']]->has_cap('edit_users')) { + if($id == $current_user->ID && !$wp_roles->role_objects[$_REQUEST['new_role']]->has_cap('edit_users')) { $update = 'err_admin_role'; continue; } - $user = new WP_User($id); - $user->set_role($_POST['new_role']); - } - - header('Location: users.php?update=' . $update); + $user = new WP_User($id); + $user->set_role($_REQUEST['new_role']); + } + + wp_redirect(add_query_arg('update', $update, $redirect)); + exit(); break; case 'dodelete': - check_admin_referer(); + check_admin_referer('delete-users'); - if ( empty($_POST['users']) ) { - header('Location: users.php'); + if ( empty($_REQUEST['users']) ) { + wp_redirect($redirect); + exit(); } - if ( !current_user_can('edit_users') ) - die(__('You can’t delete users.')); + if ( !current_user_can('delete_users') ) + wp_die(__('You can’t delete users.')); - $userids = $_POST['users']; - + $userids = $_REQUEST['users']; $update = 'del'; - foreach ($userids as $id) { - if($id == $current_user->id) { + $delete_count = 0; + + foreach ( (array) $userids as $id) { + if ( ! current_user_can('delete_user', $id) ) + wp_die(__('You can’t delete that user.')); + + if($id == $current_user->ID) { $update = 'err_admin_del'; continue; } - switch($_POST['delete_option']) { + switch($_REQUEST['delete_option']) { case 'delete': wp_delete_user($id); break; case 'reassign': - wp_delete_user($id, $_POST['reassign_user']); + wp_delete_user($id, $_REQUEST['reassign_user']); break; } + ++$delete_count; } - header('Location: users.php?update=' . $update); + $redirect = add_query_arg( array('delete_count' => $delete_count, 'update' => $update), $redirect); + wp_redirect($redirect); + exit(); break; case 'delete': - check_admin_referer(); + check_admin_referer('bulk-users'); - if (empty($_POST['users'])) { - header('Location: users.php'); + if ( empty($_REQUEST['users']) ) { + wp_redirect($redirect); + exit(); } - if ( !current_user_can('edit_users') ) - $error['edit_users'] = __('You can’t delete users.'); + if ( !current_user_can('delete_users') ) + $errors = new WP_Error('edit_users', __('You can’t delete users.')); - $userids = $_POST['users']; + $userids = $_REQUEST['users']; include ('admin-header.php'); ?>