Menu and plugin tweakage.

git-svn-id: http://svn.automattic.com/wordpress/trunk@4049 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/admin-functions.php

@@ -379,6 +379,7 @@ function add_user() {
 	if ( func_num_args() ) { // The hackiest hack that ever did hack
 		global $current_user, $wp_roles;
 		$user_id = func_get_arg(0);
+
 		if (isset ($_POST['role'])) {
 			if($user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap('edit_users')) {
 				$user = new WP_User($user_id);
@@ -412,7 +413,7 @@ function edit_user($user_id = 0) {
 	if (isset ($_POST['pass2']))
 		$pass2 = $_POST['pass2'];
 
-	if (isset ($_POST['role'])) {
+	if (isset ($_POST['role']) && current_user_can('edit_users')) { 
 		if($user_id != $current_user->id || $wp_roles->role_objects[$_POST['role']]->has_cap('edit_users'))
 			$user->role = $_POST['role'];
 	}
@@ -1330,12 +1331,16 @@ function user_can_access_admin_page() {
 	global $menu;
 	global $submenu;
 	global $menu_nopriv;
+	global $plugin_page;
 
 	$parent = get_admin_page_parent();
 	
 	if ( isset($menu_nopriv[$pagenow]) )
 		return false;
 
+	if ( isset($plugin_page) && isset($menu_nopriv[$plugin_page]) )
+		return false;
+	
 	if ( empty($parent) )
 		return true;
 

wp-admin/admin.php

@@ -30,12 +30,15 @@ wp_enqueue_script( 'fat' );
 
 $editing = false;
 
-require(ABSPATH . '/wp-admin/menu.php');
-
-// Handle plugin admin pages.
 if (isset($_GET['page'])) {
 	$plugin_page = stripslashes($_GET['page']);
 	$plugin_page = plugin_basename($plugin_page);
+}
+
+require(ABSPATH . '/wp-admin/menu.php');
+
+// Handle plugin admin pages.
+if (isset($plugin_page)) {
 	$page_hook = get_plugin_page_hook($plugin_page, $pagenow);
 
 	if ( $page_hook ) {
@@ -64,6 +67,9 @@ if (isset($_GET['page'])) {
 
 	$importer = $_GET['import'];
 
+	if ( ! current_user_can('import') )
+		wp_die(__('You are not allowed to import.'));
+
 	if ( validate_file($importer) ) {
 		wp_die(__('Invalid importer.'));
 	}