Networks and Sites: prevent a PHP error in wp-admin/network/site-users.php.

This change brings the multisite specific `promote` user action up-to-speed with the single-site one, by adding: 

* capability checks where appropriate
* a `none` check on `$role` to set it to an empty string

It also updates the inline documentation of the single-site `promote` user action in `users.php`, to match the suggested additions to the multisite file.

Props ignatiusjeroe, jeremyfelt, johnjamesjacoby, pratiklondhe, shanemuir, sudipatel007, techpartho.

Fixes #61100.



git-svn-id: https://develop.svn.wordpress.org/trunk@60976 602fd350-edb4-49c9-b593-d223f7449a82

Author: JJJ

src/wp-admin/network/site-users.php

@@ -139,19 +139,37 @@
 
 		case 'promote':
 			check_admin_referer( 'bulk-users' );
+
+			if ( ! current_user_can( 'promote_users' ) ) {
+				wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 );
+			}
+
 			$editable_roles = get_editable_roles();
 			$role           = $_REQUEST['new_role'];
 
+			// Mock `none` as editable role.
+			$editable_roles['none'] = array(
+				'name' => __( '— No role for this site —' ),
+			);
+
 			if ( empty( $editable_roles[ $role ] ) ) {
 				wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 );
 			}
 
+			if ( 'none' === $role ) {
+				$role = '';
+			}
+
 			if ( isset( $_REQUEST['users'] ) ) {
 				$userids = $_REQUEST['users'];
 				$update  = 'promote';
 				foreach ( $userids as $user_id ) {
 					$user_id = (int) $user_id;
 
+					if ( ! current_user_can( 'promote_user', $user_id ) ) {
+						wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 );
+					}
+
 					// If the user doesn't already belong to the blog, bail.
 					if ( ! is_user_member_of_blog( $user_id ) ) {
 						wp_die(
@@ -162,6 +180,8 @@
 					}
 
 					$user = get_userdata( $user_id );
+
+					// If $role is empty, none will be set.
 					$user->set_role( $role );
 				}
 			} else {

src/wp-admin/users.php

@@ -122,7 +122,7 @@
 		$editable_roles = get_editable_roles();
 		$role           = $_REQUEST['new_role'];
 
-		// Mocking the `none` role so we are able to save it to the database
+		// Mock `none` as editable role.
 		$editable_roles['none'] = array(
 			'name' => __( '— No role for this site —' ),
 		);
@@ -162,6 +162,8 @@
 			}
 
 			$user = get_userdata( $id );
+
+			// If $role is empty, none will be set.
 			$user->set_role( $role );
 		}