Skip to:
Content

bbPress.org

Changeset 5805


Ignore:
Timestamp:
07/07/2015 03:16:38 PM (11 years ago)
Author:
johnjamesjacoby
Message:

Users: Add hardening to bbp_edit_user_handler() super-admin grant/revoke action when editing a user's profile.

This commit ensures only super-administrators that also have the manage_network_options capability are able to modify another user's super-administrator privilege.

(Note that bbp_edit_user_handler() has several other conditional checks to prevent privilege escalation here, and this change is only useful for installations that modify core role & capability behavior via third-party plugins in such a way as to have bungled the capabilities of multisite super-administrators.)

Props glynwintle. For 2.6 (trunk)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/includes/users/functions.php

    r5802 r5805  
    14291429
    14301430        // Maybe update super admin ability
    1431         if ( is_multisite() && ! bbp_is_user_home_edit() ) {
     1431        if ( is_multisite() && ! bbp_is_user_home_edit() && current_user_can( 'manage_network_options' ) && is_super_admin() ) {
    14321432            empty( $_POST['super_admin'] )
    14331433                ? revoke_super_admin( $edit_user )
Note: See TracChangeset for help on using the changeset viewer.