WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#13000 closed defect (bug) (fixed)

delete_themes and delete_plugins caps do not obey DISALLOW_FILE_EDIT

Reported by: ryan Owned by: ryan
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Should they? Deleting is a file modification.

Change History (8)

#1 @ryan
6 years ago

I'm leaning toward no, they shouldn't. Disallowing plugin/theme deletes seems an overloading of DISALLOW_FILE_EDIT. I can see someone setting DISALLOW_FILE_EDIT but still wanting to be able to delete plugins/themes.

#2 @ryan
6 years ago

This comes up from sites that manage everything through svn, themes and plugins included. A means of disabling theme and plugin delete links for such sites would be nice.

#3 @ryan
6 years ago

Such sites would probably need to disallow anything that touches files. Plugin/theme update, delete, install, and edit as well as core upgrades.

#4 @ryan
6 years ago

(In [14088]) Introduce DISALLOW_FILE_MOD for disabling all ops that modify core, theme, or plugins files. see #13000

#5 @ryan
6 years ago

Added DISALLOW_FILE_MODS as a super set of DISALLOW_FILE_EDIT.

#6 @nacin
6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Looks good to me.

#7 @strider72
6 years ago

Is there a comparable Role to "allow file edit"?

I would love to be able to only let one specific user do any kind of file modification....

#8 @dd32
6 years ago

I would love to be able to only let one specific user do any kind of file modification....

Thats where creating a custom role for all users, and only allowing administrators access to everything else. the custom role wouldn't include any of the update or editing related caps.

Note: See TracTickets for help on using tickets.