Changeset 5806

Timestamp:

07/07/2015 03:18:53 PM (11 years ago)

Author:

johnjamesjacoby

Message:

Users: Add hardening to bbp_edit_user_handler() super-admin grant/revoke action when editing a user's profile.

This commit ensures only super-administrators that also have the manage_network_options capability are able to modify another user's super-administrator privilege.

(Note that bbp_edit_user_handler() has several other conditional checks to prevent privilege escalation here, and this change is only useful for installations that modify core role & capability behavior via third-party plugins in such a way as to have bungled the capabilities of multisite super-administrators.)

Props glynwintle. For 2.5.8 (2.5 branch)

File:

• branches/2.5/includes/users/functions.php (modified) (1 diff)

branches/2.5/includes/users/functions.php

@@ -1435 +1435 @@
 
         // Maybe update super admin ability
-        if ( is_multisite() && ! bbp_is_user_home_edit() ) {
+        if ( is_multisite() && ! bbp_is_user_home_edit() && current_user_can( 'manage_network_options' ) && is_super_admin() ) {
             empty( $_POST['super_admin'] ) ? revoke_super_admin( $edit_user ) : grant_super_admin( $edit_user );
         }