From 37d767a019b3b83f7c5d70176a156560725f047c Mon Sep 17 00:00:00 2001 From: ryan Date: Sun, 24 Sep 2006 10:08:58 +0000 Subject: [PATCH] Don't show user form without privs. Props westi. fixes #3142 git-svn-id: http://svn.automattic.com/wordpress/trunk@4216 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/user-edit.php | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index 9ccabc15c..061d7c321 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -12,6 +12,11 @@ wp_reset_vars(array('action', 'redirect', 'profile', 'user_id', 'wp_http_referer $wp_http_referer = remove_query_arg(array('update', 'delete_count'), stripslashes($wp_http_referer)); +$user_id = (int) $user_id; + +if ( !$user_id ) + wp_die(__('Invalid user ID.')); + switch ($action) { case 'switchposts': @@ -26,9 +31,9 @@ case 'update': check_admin_referer('update-user_' . $user_id); if ( !current_user_can('edit_user', $user_id) ) - $errors = new WP_Error('head', __('You do not have permission to edit this user.')); -else - $errors = edit_user($user_id); + wp_die(__('You do not have permission to edit this user.')); + +$errors = edit_user($user_id); if( !is_wp_error( $errors ) ) { $redirect = "user-edit.php?user_id=$user_id&updated=true"; @@ -38,13 +43,12 @@ if( !is_wp_error( $errors ) ) { } default: -include ('admin-header.php'); - $profileuser = get_user_to_edit($user_id); if ( !current_user_can('edit_user', $user_id) ) - if ( !is_wp_error( $errors ) ) - $errors = new WP_Error('head', __('You do not have permission to edit this user.')); + wp_die(__('You do not have permission to edit this user.')); + +include ('admin-header.php'); ?>