Skip to:
Content

bbPress.org

Changeset 5806


Ignore:
Timestamp:
07/07/2015 03:18:53 PM (9 years ago)
Author:
johnjamesjacoby
Message:

Users: Add hardening to bbp_edit_user_handler() super-admin grant/revoke action when editing a user's profile.

This commit ensures only super-administrators that also have the manage_network_options capability are able to modify another user's super-administrator privilege.

(Note that bbp_edit_user_handler() has several other conditional checks to prevent privilege escalation here, and this change is only useful for installations that modify core role & capability behavior via third-party plugins in such a way as to have bungled the capabilities of multisite super-administrators.)

Props glynwintle. For 2.5.8 (2.5 branch)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.5/includes/users/functions.php

    r5628 r5806  
    14351435
    14361436        // Maybe update super admin ability
    1437         if ( is_multisite() && ! bbp_is_user_home_edit() ) {
     1437        if ( is_multisite() && ! bbp_is_user_home_edit() && current_user_can( 'manage_network_options' ) && is_super_admin() ) {
    14381438            empty( $_POST['super_admin'] ) ? revoke_super_admin( $edit_user ) : grant_super_admin( $edit_user );
    14391439        }
Note: See TracChangeset for help on using the changeset viewer.