WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#12815 closed defect (bug) (fixed)

Allow defining $site_admins global array

Reported by: ryan Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords:
Focuses: Cc:

Description

For a little extra security and to avoid a DB lookup, some sites define the site admins as an array of user names in wp-config.php.

Attachments (3)

12815.diff (1009 bytes) - added by ryan 5 years ago.
12815.2.diff (4.5 KB) - added by ryan 5 years ago.
12815.3.diff (5.1 KB) - added by ryan 5 years ago.

Download all attachments as: .zip

Change History (10)

@ryan5 years ago

comment:1 @ryan5 years ago

  • Summary changed from Allow defining $site_admins global array to allow bypassing option lookup to Allow defining $site_admins global array

comment:2 @nacin5 years ago

Seems fine to me. We should probably go with $super_admins since the only thing we'd be breaking compatibility with is wp.com.

We could introduce a get_super_admins() to handle this, that way we can replace more get_site_option( 'site_admins', array( 'admin' ) ); calls, and for example allow ms-users.php to show the right super admins.

If $super_admins is set, the new checkbox on user-edit.php should be disabled, or hidden entirely (it can be hidden as I added a div.updated 'Important' box for super admin profiles).

comment:3 @ryan5 years ago

Sounds good.

comment:4 @dd325 years ago

that way we can replace more get_site_option( 'site_admins', array( 'admin' ) ); calls

Do we have 'admin' hardcoded anywhere? Keep in mind that with the change to allow a different username to be created during install, that its entirely possible for someone to come along later and register 'admin' if the installer doesnt use it.

comment:5 @nacin5 years ago

Do we have 'admin' hardcoded anywhere? Keep in mind that with the change to allow a different username to be created during install, that its entirely possible for someone to come along later and register 'admin' if the installer doesnt use it.

Don't I know it. Yes, we use it everywhere. The sitemeta value would need to be missing and the 'admin' user would need to be gone. Additionally, 'admin' would need to be omitted from the illegal_names sitemeta value, and it is included there by default.

(Not supporting it, just saying how it is used.)

@ryan5 years ago

@ryan5 years ago

comment:6 @automattor5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [14206]) Introduce get_super_admins(). Allow hard-coding a global super_admins array and bypassing site options. fixes #12815

comment:7 @hakre5 years ago

Related: #14854

Note: See TracTickets for help on using tickets.