From e26aed0ac45d5b6058efc66ee8509ccf03449b71 Mon Sep 17 00:00:00 2001
From: josephscott <josephscott@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Thu, 22 Apr 2010 19:48:13 +0000
Subject: [PATCH] New 'list_users' cap to provide more controls over listing
 users vs. editing users.

Apply this new cap to the 'Authors & Users' menu item and 'Users' page in
wp-admin.

Bump db version to 14139 to pick up the new cap.

See #13074



git-svn-id: http://svn.automattic.com/wordpress/trunk@14189 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/schema.php   |  1 +
 wp-admin/includes/template.php |  6 ++++--
 wp-admin/includes/upgrade.php  |  6 +++---
 wp-admin/menu.php              |  8 ++++----
 wp-admin/users.php             |  2 +-
 wp-includes/capabilities.php   | 13 ++++++++++---
 wp-includes/version.php        |  2 +-
 7 files changed, 24 insertions(+), 14 deletions(-)

diff --git a/wp-admin/includes/schema.php b/wp-admin/includes/schema.php
index 72f081842..97f05d616 100644
--- a/wp-admin/includes/schema.php
+++ b/wp-admin/includes/schema.php
@@ -607,6 +607,7 @@ function populate_roles_300() {
 
 	if ( !empty( $role ) ) {
 		$role->add_cap( 'update_core' );
+		$role->add_cap( 'list_users' );
 		$role->add_cap( 'remove_users' );
 		$role->add_cap( 'add_users' );
 		$role->add_cap( 'promote_users' );
diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php
index 851cc8012..fbd0bb1d3 100644
--- a/wp-admin/includes/template.php
+++ b/wp-admin/includes/template.php
@@ -1812,7 +1812,7 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
 		$short_url = substr( $short_url, 0, 32 ).'...';
 	$checkbox = '';
 	// Check if the user for this row is editable
-	if ( current_user_can( 'edit_user', $user_object->ID ) ) {
+	if ( current_user_can( 'list_users', $user_object->ID ) ) {
 		// Set up the user editing link
 		// TODO: make profile/user-edit determination a separate function
 		if ($current_user->ID == $user_object->ID) {
@@ -1824,7 +1824,9 @@ function user_row( $user_object, $style = '', $role = '', $numposts = 0 ) {
 
 		// Set up the hover actions for this user
 		$actions = array();
-		$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
+
+		if ( current_user_can('edit_user',  $user_object->ID) )
+			$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
 		if ( !is_multisite() && $current_user->ID != $user_object->ID && current_user_can('delete_user', $user_object->ID) )
 			$actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("users.php?action=delete&amp;user=$user_object->ID", 'bulk-users') . "'>" . __('Delete') . "</a>";
 		if ( is_multisite() && $current_user->ID != $user_object->ID && current_user_can('remove_user', $user_object->ID) )
diff --git a/wp-admin/includes/upgrade.php b/wp-admin/includes/upgrade.php
index 94f2d6530..a45cde832 100644
--- a/wp-admin/includes/upgrade.php
+++ b/wp-admin/includes/upgrade.php
@@ -440,7 +440,7 @@ function upgrade_all() {
 	if ( $wp_current_db_version < 11958 )
 		upgrade_290();
 
-	if ( $wp_current_db_version < 14138 )
+	if ( $wp_current_db_version < 14139 )
 		upgrade_300();
 
 	maybe_disable_automattic_widgets();
@@ -1108,14 +1108,14 @@ function upgrade_290() {
 function upgrade_300() {
 	global $wp_current_db_version, $wpdb;
 
-	if ( $wp_current_db_version < 12751 ) {
+	if ( $wp_current_db_version < 14139 ) {
 		populate_roles_300();
 		if ( is_multisite() && is_main_site() && ! defined( 'MULTISITE' ) && get_site_option( 'siteurl' ) === false )
 			add_site_option( 'siteurl', '' );
 	}
 
 	// #11866 (Convert the taxonomy children cache into a transient) - Remove old cache.
-	if ( $wp_current_db_version < 14138 ) {
+	if ( $wp_current_db_version < 14139 ) {
 		foreach ( get_taxonomies( array('hierarchical' => true) )  as $taxonomy )
 			delete_option($taxonomy . '_children');
 	}
diff --git a/wp-admin/menu.php b/wp-admin/menu.php
index ab26ffacb..60e19c1bb 100644
--- a/wp-admin/menu.php
+++ b/wp-admin/menu.php
@@ -172,14 +172,14 @@ if ( is_super_admin() || ( is_multisite() && isset($menu_perms['plugins']) && $m
 }
 unset($menu_perms, $update_plugins, $update_count);
 
-if ( current_user_can('edit_users') )
-	$menu[70] = array( __('Users'), 'edit_users', 'users.php', '', 'menu-top menu-icon-users', 'menu-users', 'div' );
+if ( current_user_can('list_users') )
+	$menu[70] = array( __('Users'), 'list_users', 'users.php', '', 'menu-top menu-icon-users', 'menu-users', 'div' );
 else
 	$menu[70] = array( __('Profile'), 'read', 'profile.php', '', 'menu-top menu-icon-users', 'menu-users', 'div' );
 
-if ( current_user_can('edit_users') ) {
+if ( current_user_can('list_users') ) {
 	$_wp_real_parent_file['profile.php'] = 'users.php'; // Back-compat for plugins adding submenus to profile.php.
-	$submenu['users.php'][5] = array(__('Authors & Users'), 'edit_users', 'users.php');
+	$submenu['users.php'][5] = array(__('Authors & Users'), 'list_users', 'users.php');
 	$submenu['users.php'][10] = array(_x('Add New', 'user'), 'create_users', 'user-new.php');
 
 	$submenu['users.php'][15] = array(__('Your Profile'), 'read', 'profile.php');
diff --git a/wp-admin/users.php b/wp-admin/users.php
index 282dc2868..0069a3292 100644
--- a/wp-admin/users.php
+++ b/wp-admin/users.php
@@ -12,7 +12,7 @@ require_once('./admin.php');
 /** WordPress Registration API */
 require_once( ABSPATH . WPINC . '/registration.php');
 
-if ( !current_user_can('edit_users') )
+if ( !current_user_can('list_users') )
 	wp_die(__('Cheatin&#8217; uh?'));
 
 $title = __('Users');
diff --git a/wp-includes/capabilities.php b/wp-includes/capabilities.php
index af502a30c..db28b974c 100644
--- a/wp-includes/capabilities.php
+++ b/wp-includes/capabilities.php
@@ -806,9 +806,16 @@ function map_meta_cap( $cap, $user_id ) {
 		$caps[] = 'promote_users';
 		break;
 	case 'edit_user':
-		if ( !isset( $args[0] ) || $user_id != $args[0] ) {
-			$caps[] = 'edit_users';
-		}
+		// Allow user to edit itself
+		if ( isset( $args[0] ) && $user_id == $args[0] )
+			break;
+		// Fall through
+	case 'edit_users':
+		// If multisite these caps are allowed only for super admins.
+		if ( is_multisite() && !is_super_admin() )
+			$caps[] = 'do_not_allow';
+		else
+			$caps[] = $cap;
 		break;
 	case 'delete_post':
 		$author_data = get_userdata( $user_id );
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 641aa97e4..42e8c00e6 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -15,7 +15,7 @@ $wp_version = '3.0-beta1';
  *
  * @global int $wp_db_version
  */
-$wp_db_version = 14138;
+$wp_db_version = 14139;
 
 /**
  * Holds the TinyMCE version