diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php
index fdfeb3801..1ee9c02b2 100644
--- a/wp-admin/admin-functions.php
+++ b/wp-admin/admin-functions.php
@@ -738,7 +738,7 @@ function user_row( $user_object, $style = '' ) {
| $short_url | ";
$r .= "\n\t\t$numposts | ";
$r .= "\n\t\t";
- if (current_user_can('edit_users'))
+ if ( current_user_can('edit_user', $user_object->ID) )
$r .= "".__('Edit')."";
$r .= " | \n\t";
return $r;
diff --git a/wp-admin/upgrade-functions.php b/wp-admin/upgrade-functions.php
index 6e103b7cd..97f6410a7 100644
--- a/wp-admin/upgrade-functions.php
+++ b/wp-admin/upgrade-functions.php
@@ -173,7 +173,7 @@ function upgrade_all() {
if ( $wp_current_db_version < 3308 )
upgrade_160();
- if ( $wp_current_db_version < 3767 )
+ if ( $wp_current_db_version < 3845 )
upgrade_210();
$wp_rewrite->flush_rules();
@@ -492,7 +492,7 @@ function upgrade_210() {
}
}
- if ( $wp_current_db_version < 3767 ) {
+ if ( $wp_current_db_version < 3845 ) {
populate_roles_210();
}
diff --git a/wp-admin/upgrade-schema.php b/wp-admin/upgrade-schema.php
index d616fb651..f20047aaa 100644
--- a/wp-admin/upgrade-schema.php
+++ b/wp-admin/upgrade-schema.php
@@ -364,6 +364,12 @@ function populate_roles_210() {
$role->add_cap('read_private_pages');
}
+ $role = get_role('administrator');
+ if ( ! empty($role) ) {
+ $role->add_cap('delete_users');
+ $role->add_cap('create_users');
+ }
+
$role = get_role('author');
if ( ! empty($role) ) {
$role->add_cap('delete_posts');
diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php
index d17733d39..362dbde09 100644
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@@ -34,7 +34,7 @@ case 'update':
check_admin_referer('update-user_' . $user_id);
-if (!current_user_can('edit_users'))
+if ( !current_user_can('edit_user', $user_id) )
$errors = new WP_Error('head', __('You do not have permission to edit this user.'));
else
$errors = edit_user($user_id);
@@ -49,7 +49,7 @@ include ('admin-header.php');
$profileuser = new WP_User($user_id);
-if (!current_user_can('edit_users'))
+if ( !current_user_can('edit_user', $user_id) )
if ( !is_wp_error( $errors ) )
$errors = new WP_Error('head', __('You do not have permission to edit this user.'));
?>
diff --git a/wp-admin/users.php b/wp-admin/users.php
index d0624ccf9..86b2cf442 100644
--- a/wp-admin/users.php
+++ b/wp-admin/users.php
@@ -23,6 +23,8 @@ case 'promote':
$userids = $_POST['users'];
$update = 'promote';
foreach($userids as $id) {
+ if ( ! current_user_can('edit_user', $id) )
+ die(__('You can’t edit that user.'));
// The new role of the current user must also have edit_users caps
if($id == $current_user->id && !$wp_roles->role_objects[$_POST['new_role']]->has_cap('edit_users')) {
$update = 'err_admin_role';
@@ -45,13 +47,16 @@ case 'dodelete':
header('Location: users.php');
}
- if ( !current_user_can('edit_users') )
+ if ( !current_user_can('delete_users') )
die(__('You can’t delete users.'));
$userids = $_POST['users'];
$update = 'del';
foreach ($userids as $id) {
+ if ( ! current_user_can('delete_user', $id) )
+ die(__('You can’t delete that user.'));
+
if($id == $current_user->id) {
$update = 'err_admin_del';
continue;
@@ -78,7 +83,7 @@ case 'delete':
header('Location: users.php');
}
- if ( !current_user_can('edit_users') )
+ if ( !current_user_can('delete_users') )
$error = new WP_Error('edit_users', __('You can’t delete users.'));
$userids = $_POST['users'];
@@ -134,6 +139,9 @@ break;
case 'adduser':
check_admin_referer('add-user');
+ if ( ! current_user_can('create_users') )
+ die(__('You can’t create users.'));
+
$user_id = add_user();
if ( is_wp_error( $user_id ) )
$errors = $user_id;
diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php
index f272dd325..a1dfa56a3 100644
--- a/wp-includes/capabilities.php
+++ b/wp-includes/capabilities.php
@@ -272,6 +272,12 @@ function map_meta_cap($cap, $user_id) {
$caps = array();
switch ($cap) {
+ case 'delete_user':
+ $caps[] = 'delete_users';
+ break;
+ case 'edit_user':
+ $caps[] = 'edit_users';
+ break;
case 'delete_post':
$author_data = get_userdata($user_id);
//echo "post ID: {$args[0]}
";
diff --git a/wp-includes/version.php b/wp-includes/version.php
index ad3761a0e..870b54238 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -2,7 +2,7 @@
// This just holds the version number, in a separate file so we can bump it without cluttering the SVN
-$wp_version = '2.1-alpha1';
-$wp_db_version = 3809;
+$wp_version = '2.1-alpha2';
+$wp_db_version = 3845;
?>