WordPress.org

Make WordPress Core

Changeset 43111


Ignore:
Timestamp:
05/02/2018 03:48:27 AM (17 months ago)
Author:
SergeyBiryukov
Message:

Privacy: Limit export and erasure to super admins on Multisite.

Multisite networks have a variety of use cases, and in many of them single-site administrators are not trusted to take actions that affect the whole network, require making decisions about legal compliance, etc. By default, those actions should require super admin capabilities. Plugins can be used to override that behavior if a particular site's use case calls for it.

Props allendav, jeremyfelt, iandunn.
Merges [43085] to the 4.9 branch.
Fixes #43919.

Location:
branches/4.9
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • branches/4.9

  • branches/4.9/src/wp-admin/includes/ajax-actions.php

    r43110 r43111  
    40354035    }
    40364036
    4037     if ( ! current_user_can( 'manage_options' ) ) {
     4037    if ( ! current_user_can( 'export_others_personal_data' ) ) {
    40384038        wp_send_json_error( __( 'Invalid request.' ) );
    40394039    }
     
    42134213    }
    42144214
    4215     if ( ! current_user_can( 'delete_users' ) ) {
     4215    // Both capabilities are required to avoid confusion, see `_wp_personal_data_removal_page()`.
     4216    if ( ! current_user_can( 'erase_others_personal_data' ) || ! current_user_can( 'delete_users' ) ) {
    42164217        wp_send_json_error( __( 'Invalid request.' ) );
    42174218    }
  • branches/4.9/src/wp-admin/includes/user.php

    r43092 r43111  
    745745 */
    746746function _wp_personal_data_export_page() {
    747     if ( ! current_user_can( 'manage_options' ) ) {
    748         wp_die( esc_html__( 'Sorry, you are not allowed to manage privacy on this site.' ) );
     747    if ( ! current_user_can( 'export_others_personal_data' ) ) {
     748        wp_die( __( 'Sorry, you are not allowed to export personal data on this site.' ) );
    749749    }
    750750
     
    810810 */
    811811function _wp_personal_data_removal_page() {
    812     if ( ! current_user_can( 'delete_users' ) ) {
    813         wp_die( esc_html__( 'Sorry, you are not allowed to manage privacy on this site.' ) );
     812    /*
     813     * Require both caps in order to make it explicitly clear that delegating
     814     * erasure from network admins to single-site admins will give them the
     815     * ability to affect global users, rather than being limited to the site
     816     * that they administer.
     817     */
     818    if ( ! current_user_can( 'erase_others_personal_data' ) || ! current_user_can( 'delete_users' ) ) {
     819        wp_die( __( 'Sorry, you are not allowed to erase data on this site.' ) );
    814820    }
    815821
     
    877883 */
    878884function _wp_privacy_hook_requests_page() {
    879     add_submenu_page( 'tools.php', __( 'Export Personal Data' ), __( 'Export Personal Data' ), 'manage_options', 'export_personal_data', '_wp_personal_data_export_page' );
    880     add_submenu_page( 'tools.php', __( 'Remove Personal Data' ), __( 'Remove Personal Data' ), 'manage_options', 'remove_personal_data', '_wp_personal_data_removal_page' );
     885    add_submenu_page( 'tools.php', __( 'Export Personal Data' ), __( 'Export Personal Data' ), 'export_others_personal_data', 'export_personal_data', '_wp_personal_data_export_page' );
     886    add_submenu_page( 'tools.php', __( 'Remove Personal Data' ), __( 'Remove Personal Data' ), 'erase_others_personal_data', 'remove_personal_data', '_wp_personal_data_removal_page' );
    881887}
    882888
  • branches/4.9/src/wp-includes/capabilities.php

    r42607 r43111  
    540540        }
    541541        break;
     542    case 'export_others_personal_data':
     543    case 'erase_others_personal_data':
     544        $caps[] = is_multisite() ? 'manage_network' : 'manage_options';
     545        break;
    542546    default:
    543547        // Handle meta capabilities for custom post types.
  • branches/4.9/tests/phpunit/tests/user/capabilities.php

    r41635 r43111  
    237237            'update_languages'       => array( 'administrator' ),
    238238            'deactivate_plugins'     => array( 'administrator' ),
     239            'export_others_personal_data' => array( 'administrator' ),
     240            'erase_others_personal_data'  => array( 'administrator' ),
    239241
    240242            'edit_categories'        => array( 'administrator', 'editor' ),
     
    268270            'update_languages'       => array(),
    269271            'deactivate_plugins'     => array(),
     272            'export_others_personal_data' => array( '' ),
     273            'erase_others_personal_data'  => array( '' ),
    270274
    271275            'customize'              => array( 'administrator' ),
Note: See TracChangeset for help on using the changeset viewer.