Capabilities: Prevent users having the do_not_allow capability.

Meta capabilities use the capability `do_not_allow` to indicate a user should be blocked from performing a particular action. This ensures users can not have the capability as it would cause unexpected behaviour. Props johnbillion. Fixes #41059. git-svn-id: https://develop.svn.wordpress.org/trunk@40993 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 22:30:04 +00:00 · 2017-07-02 05:15:42 +00:00
parent bf850da3ec
commit 3a4ffa09ab
2 changed files with 54 additions and 0 deletions
--- a/src/wp-includes/class-wp-user.php
+++ b/src/wp-includes/class-wp-user.php
@@ -748,6 +748,9 @@ class WP_User {
 		// Everyone is allowed to exist.
 		$capabilities['exist'] = true;

+		// Nobody is allowed to do things they are not allowed to do.
+		unset( $capabilities['do_not_allow'] );
+
 		// Must have ALL requested caps.
 		foreach ( (array) $caps as $cap ) {
 			if ( empty( $capabilities[ $cap ] ) )