Changeset 6854

Timestamp:

03/23/2013 06:21:38 AM (13 years ago)

Author:

johnjamesjacoby

Message:

Additional hardening to bp_core_delete_account() to ensure users cannot be accidentally deleted. For 1.6.

File:

• branches/1.6/bp-members/bp-members-functions.php (modified) (1 diff)

branches/1.6/bp-members/bp-members-functions.php

@@ -783 +783 @@
 function bp_core_delete_account( $user_id = 0 ) {
 
+    // Use logged in user ID if none is passed
     if ( empty( $user_id ) )
         $user_id = bp_loggedin_user_id();
 
-    // Make sure account deletion is not disabled
-    if ( !bp_current_user_can( 'delete_users' ) && bp_disable_account_deletion() )
+    // Bail if account deletion is disabled
+    if ( bp_disable_account_deletion() )
         return false;
 
     // Site admins cannot be deleted
     if ( is_super_admin( $user_id ) )
+        return false;
+
+    // Bail if current user cannot delete any users
+    if ( ! bp_current_user_can( 'delete_users' ) )
+        return false;
+
+    // Bail if current user cannot delete this user
+    if ( ! current_user_can_for_blog( bp_get_root_blog_id(), 'delete_user', $user_id ) )
         return false;