WordPress.org

Make WordPress Core

Changeset 43085


Ignore:
Timestamp:
05/02/2018 01:07:00 AM (2 years ago)
Author:
iandunn
Message:

Privacy: Limit export and erasure to super admins on Multisite.

Multisite networks have a variety of use cases, and in many of them single-site administrators are not trusted to take actions that affect the whole network, require making decisions about legal compliance, etc. By default, those actions should require super admin capabilities. Plugins can be used to override that behavior if a particular site's use case calls for it.

Props allendav, jeremyfelt, iandunn.
Fixes #43919.

Location:
trunk
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/ajax-actions.php

    r43061 r43085  
    43454345    }
    43464346
    4347     if ( ! current_user_can( 'manage_options' ) ) {
     4347    if ( ! current_user_can( 'export_others_personal_data' ) ) {
    43484348        wp_send_json_error( __( 'Invalid request.' ) );
    43494349    }
     
    45234523    }
    45244524
    4525     if ( ! current_user_can( 'delete_users' ) ) {
     4525    // Both capabilities are required to avoid confusion, see `_wp_personal_data_removal_page()`.
     4526    if ( ! current_user_can( 'erase_others_personal_data' ) || ! current_user_can( 'delete_users' ) ) {
    45264527        wp_send_json_error( __( 'Invalid request.' ) );
    45274528    }
  • trunk/src/wp-admin/includes/user.php

    r43057 r43085  
    786786 */
    787787function _wp_personal_data_export_page() {
    788     if ( ! current_user_can( 'manage_options' ) ) {
    789         wp_die( esc_html__( 'Sorry, you are not allowed to manage privacy on this site.' ) );
     788    if ( ! current_user_can( 'export_others_personal_data' ) ) {
     789        wp_die( __( 'Sorry, you are not allowed to export personal data on this site.' ) );
    790790    }
    791791
     
    851851 */
    852852function _wp_personal_data_removal_page() {
    853     if ( ! current_user_can( 'delete_users' ) ) {
    854         wp_die( esc_html__( 'Sorry, you are not allowed to manage privacy on this site.' ) );
     853    /*
     854     * Require both caps in order to make it explicitly clear that delegating
     855     * erasure from network admins to single-site admins will give them the
     856     * ability to affect global users, rather than being limited to the site
     857     * that they administer.
     858     */
     859    if ( ! current_user_can( 'erase_others_personal_data' ) || ! current_user_can( 'delete_users' ) ) {
     860        wp_die( __( 'Sorry, you are not allowed to erase data on this site.' ) );
    855861    }
    856862
     
    918924 */
    919925function _wp_privacy_hook_requests_page() {
    920     add_submenu_page( 'tools.php', __( 'Export Personal Data' ), __( 'Export Personal Data' ), 'manage_options', 'export_personal_data', '_wp_personal_data_export_page' );
    921     add_submenu_page( 'tools.php', __( 'Remove Personal Data' ), __( 'Remove Personal Data' ), 'manage_options', 'remove_personal_data', '_wp_personal_data_removal_page' );
     926    add_submenu_page( 'tools.php', __( 'Export Personal Data' ), __( 'Export Personal Data' ), 'export_others_personal_data', 'export_personal_data', '_wp_personal_data_export_page' );
     927    add_submenu_page( 'tools.php', __( 'Remove Personal Data' ), __( 'Remove Personal Data' ), 'erase_others_personal_data', 'remove_personal_data', '_wp_personal_data_removal_page' );
    922928}
    923929
  • trunk/src/wp-includes/capabilities.php

    r42875 r43085  
    556556            }
    557557            break;
     558        case 'export_others_personal_data':
     559        case 'erase_others_personal_data':
     560            $caps[] = is_multisite() ? 'manage_network' : 'manage_options';
     561            break;
    558562        default:
    559563            // Handle meta capabilities for custom post types.
  • trunk/tests/phpunit/tests/user/capabilities.php

    r42832 r43085  
    238238            'deactivate_plugins'     => array( 'administrator' ),
    239239            'upgrade_php'            => array( 'administrator' ),
     240            'export_others_personal_data' => array( 'administrator' ),
     241            'erase_others_personal_data'  => array( 'administrator' ),
    240242
    241243            'edit_categories'        => array( 'administrator', 'editor' ),
     
    270272            'deactivate_plugins'     => array(),
    271273            'upgrade_php'            => array(),
     274            'export_others_personal_data' => array( '' ),
     275            'erase_others_personal_data'  => array( '' ),
    272276
    273277            'customize'              => array( 'administrator' ),
Note: See TracChangeset for help on using the changeset viewer.