From a1875a135ed7cfc99f9155041330bd64c1e3b86c Mon Sep 17 00:00:00 2001
From: Claudio Sanches <contato@claudiosanches.com>
Date: Wed, 17 Oct 2018 20:01:36 -0300
Subject: [PATCH] Added exception for when a non-admin user tries assign API
 keys to an admin

---
 includes/class-wc-ajax.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/includes/class-wc-ajax.php b/includes/class-wc-ajax.php
index 51500c6c916..00b16670847 100644
--- a/includes/class-wc-ajax.php
+++ b/includes/class-wc-ajax.php
@@ -1759,6 +1759,13 @@ class WC_AJAX {
 			$permissions = ( in_array( $_POST['permissions'], array( 'read', 'write', 'read_write' ) ) ) ? sanitize_text_field( $_POST['permissions'] ) : 'read';
 			$user_id     = absint( $_POST['user'] );
 
+			// Check if current user can edit other users.
+			if ( $user_id && ! current_user_can( 'edit_user', $user_id ) ) {
+				if ( get_current_user_id() !== $user_id ) {
+					throw new Exception( __( 'You do not have permission to assign API Keys to the selected user.', 'woocommerce' ) );
+				}
+			}
+
 			if ( 0 < $key_id ) {
 				$data = array(
 					'user_id'     => $user_id,