Merge branch 'WordPress:trunk' into trunk

VladimirAus · web-flow · commit 7c610a19b5fd · 2025-07-22T12:31:16.000+10:00
diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
@@ -690,18 +690,21 @@ function _wp_ajax_add_hierarchical_term() {
 		);
 	}
 
+	$parent_dropdown_args = array(
+		'taxonomy'         => $taxonomy->name,
+		'hide_empty'       => 0,
+		'name'             => 'new' . $taxonomy->name . '_parent',
+		'orderby'          => 'name',
+		'hierarchical'     => 1,
+		'show_option_none' => '&mdash; ' . $taxonomy->labels->parent_item . ' &mdash;',
+	);
+
+	/** This filter is documented in wp-admin/includes/meta-boxes.php */
+	$parent_dropdown_args = apply_filters( 'post_edit_category_parent_dropdown_args', $parent_dropdown_args );
+
 	ob_start();
 
-	wp_dropdown_categories(
-		array(
-			'taxonomy'         => $taxonomy->name,
-			'hide_empty'       => 0,
-			'name'             => 'new' . $taxonomy->name . '_parent',
-			'orderby'          => 'name',
-			'hierarchical'     => 1,
-			'show_option_none' => '&mdash; ' . $taxonomy->labels->parent_item . ' &mdash;',
-		)
-	);
+	wp_dropdown_categories( $parent_dropdown_args );
 
 	$sup = ob_get_clean();
 
diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
@@ -60,6 +60,12 @@ function map_meta_cap( $cap, $user_id, ...$args ) {
 			break;
 		case 'edit_user':
 		case 'edit_users':
+			// Non-existent users can't edit users, not even themselves.
+			if ( $user_id < 1 ) {
+				$caps[] = 'do_not_allow';
+				break;
+			}
+
 			// Allow user to edit themselves.
 			if ( 'edit_user' === $cap && isset( $args[0] ) && $user_id === (int) $args[0] ) {
 				break;
diff --git a/src/wp-includes/update.php b/src/wp-includes/update.php
@@ -21,7 +21,6 @@
  *
  * @since 2.3.0
  *
- * @global string $wp_version       Used to check against the newest WordPress version.
  * @global wpdb   $wpdb             WordPress database abstraction object.
  * @global string $wp_local_package Locale code of the package.
  *
@@ -317,8 +316,6 @@ function wp_version_check( $extra_stats = array(), $force_check = false ) {
  *
  * @since 2.3.0
  *
- * @global string $wp_version The WordPress version string.
- *
  * @param array $extra_stats Extra statistics to report to the WordPress.org API.
  */
 function wp_update_plugins( $extra_stats = array() ) {
@@ -590,8 +587,6 @@ function wp_update_plugins( $extra_stats = array() ) {
  *
  * @since 2.7.0
  *
- * @global string $wp_version The WordPress version string.
- *
  * @param array $extra_stats Extra statistics to report to the WordPress.org API.
  */
 function wp_update_themes( $extra_stats = array() ) {
diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php
@@ -1830,13 +1830,49 @@ public function test_multisite_administrator_can_not_edit_users() {
 		$this->assertFalse( current_user_can( 'edit_user', $other_user->ID ) );
 	}
 
-	public function test_user_can_edit_self() {
-		foreach ( self::$users as $role => $user ) {
-			wp_set_current_user( $user->ID );
-			$this->assertTrue( current_user_can( 'edit_user', $user->ID ), "User with role {$role} should have the capability to edit their own profile" );
+	/**
+	 * Test if a user can edit their own profile based on their role.
+	 *
+	 * @ticket 63684
+	 *
+	 * @dataProvider data_user_can_edit_self
+	 *
+	 * @param string $role          The role of the user.
+	 * @param bool   $can_edit_self Whether the user can edit their own profile.
+	 */
+	public function test_user_can_edit_self( $role, $can_edit_self = true ) {
+		$user = self::$users[ $role ];
+		wp_set_current_user( $user->ID );
+
+		if ( $can_edit_self ) {
+			$this->assertTrue(
+				current_user_can( 'edit_user', $user->ID ),
+				"User with role '{$role}' should have the capability to edit their own profile"
+			);
+		} else {
+			$this->assertFalse(
+				current_user_can( 'edit_user', $user->ID ),
+				"User with role '{$role}' should not have the capability to edit their own profile"
+			);
 		}
 	}
 
+	/**
+	 * Data provider for test_user_can_edit_self.
+	 *
+	 * @return array[] Data provider.
+	 */
+	public static function data_user_can_edit_self() {
+		return array(
+			'anonymous'     => array( 'anonymous', false ),
+			'administrator' => array( 'administrator', true ),
+			'editor'        => array( 'editor', true ),
+			'author'        => array( 'author', true ),
+			'contributor'   => array( 'contributor', true ),
+			'subscriber'    => array( 'subscriber', true ),
+		);
+	}
+
 	public function test_only_admins_and_super_admins_can_remove_users() {
 		if ( is_multisite() ) {
 			$this->assertTrue( user_can( self::$super_admin->ID, 'remove_user', self::$users['subscriber']->ID ) );

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,6 @@`
`21`	`21`	`*`
`22`	`22`	`* @since 2.3.0`
`23`	`23`	`*`
`24`		`- * @global string $wp_version Used to check against the newest WordPress version.`
`25`	`24`	`* @global wpdb $wpdb WordPress database abstraction object.`
`26`	`25`	`* @global string $wp_local_package Locale code of the package.`
`27`	`26`	`*`
`@@ -317,8 +316,6 @@ function wp_version_check( $extra_stats = array(), $force_check = false ) {`
`317`	`316`	`*`
`318`	`317`	`* @since 2.3.0`
`319`	`318`	`*`
`320`		`- * @global string $wp_version The WordPress version string.`
`321`		`- *`
`322`	`319`	`* @param array $extra_stats Extra statistics to report to the WordPress.org API.`
`323`	`320`	`*/`
`324`	`321`	`function wp_update_plugins( $extra_stats = array() ) {`
`@@ -590,8 +587,6 @@ function wp_update_plugins( $extra_stats = array() ) {`
`590`	`587`	`*`
`591`	`588`	`* @since 2.7.0`
`592`	`589`	`*`
`593`		`- * @global string $wp_version The WordPress version string.`
`594`		`- *`
`595`	`590`	`* @param array $extra_stats Extra statistics to report to the WordPress.org API.`
`596`	`591`	`*/`
`597`	`592`	`function wp_update_themes( $extra_stats = array() ) {`