Opened 3 years ago
Closed 3 years ago
#11894 closed defect (bug) (fixed)
multisite permission checks should use caps when available
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.0 |
| Component: | Multisite | Version: | 3.0 |
| Severity: | critical | Keywords: | |
| Cc: |
Description
r12722 introduces a bunch of checks such as:
if ( !is_multisite() || is_super_admin() )
they should be replaced with checks such as:
if ( current_user_can('install_plugins') )
Change History (7)
In MU only site admins can install plugins and themes.
The logic added keeps the existing WP logic when multisite is not enabled and enforces the existing MU permissions when multisite is enabled.
Replying to wpmuguru:
In MU only site admins can install plugins and themes.
The logic added keeps the existing WP logic when multisite is not enabled and enforces the existing MU permissions when multisite is enabled.
Right but map_meta_cap() should be used for this, is what Denis is saying. I'm pretty sure ryan added multisite-specific mapping for these capabilities already.
I added them. caps that should be removed from regular admins when multisite is enabled are now removed by map_meta_cap. It does the multisite and superadmun check for you.
r12722 should really be reversed outright, even. this kind of change makes no sense whatsoever:
- if ( current_user_can('update_themes') ) + if ( ( !is_multisite() && current_user_can('update_themes') ) || is_super_admin() )the actual meta cap check should be changed instead if needed, and mu sites should never grant update_themes to anyone *but* a super admin in the first place.