Opened 15 years ago
Closed 15 years ago
#11894 closed defect (bug) (fixed)
multisite permission checks should use caps when available
Reported by: | Denis-de-Bernardy | Owned by: | |
---|---|---|---|
Milestone: | 3.0 | Priority: | normal |
Severity: | critical | Version: | 3.0 |
Component: | Multisite | Keywords: | |
Focuses: | Cc: |
Description
r12722 introduces a bunch of checks such as:
if ( !is_multisite() || is_super_admin() )
they should be replaced with checks such as:
if ( current_user_can('install_plugins') )
Change History (7)
#2
follow-up:
↓ 3
@
15 years ago
In MU only site admins can install plugins and themes.
The logic added keeps the existing WP logic when multisite is not enabled and enforces the existing MU permissions when multisite is enabled.
#3
in reply to:
↑ 2
@
15 years ago
Replying to wpmuguru:
In MU only site admins can install plugins and themes.
The logic added keeps the existing WP logic when multisite is not enabled and enforces the existing MU permissions when multisite is enabled.
Right but map_meta_cap() should be used for this, is what Denis is saying. I'm pretty sure ryan added multisite-specific mapping for these capabilities already.
Note: See
TracTickets for help on using
tickets.
r12722 should really be reversed outright, even. this kind of change makes no sense whatsoever:
the actual meta cap check should be changed instead if needed, and mu sites should never grant update_themes to anyone *but* a super admin in the first place.