WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13000 closed defect (bug) (fixed)

delete_themes and delete_plugins caps do not obey DISALLOW_FILE_EDIT

Reported by: ryan Owned by: ryan
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Security Keywords:
Focuses: Cc:

Description

Should they? Deleting is a file modification.

Change History (8)

comment:1 ryan4 years ago

I'm leaning toward no, they shouldn't. Disallowing plugin/theme deletes seems an overloading of DISALLOW_FILE_EDIT. I can see someone setting DISALLOW_FILE_EDIT but still wanting to be able to delete plugins/themes.

comment:2 ryan4 years ago

This comes up from sites that manage everything through svn, themes and plugins included. A means of disabling theme and plugin delete links for such sites would be nice.

comment:3 ryan4 years ago

Such sites would probably need to disallow anything that touches files. Plugin/theme update, delete, install, and edit as well as core upgrades.

comment:4 ryan4 years ago

(In [14088]) Introduce DISALLOW_FILE_MOD for disabling all ops that modify core, theme, or plugins files. see #13000

comment:5 ryan4 years ago

Added DISALLOW_FILE_MODS as a super set of DISALLOW_FILE_EDIT.

comment:6 nacin4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Looks good to me.

comment:7 strider724 years ago

Is there a comparable Role to "allow file edit"?

I would love to be able to only let one specific user do any kind of file modification....

comment:8 dd324 years ago

I would love to be able to only let one specific user do any kind of file modification....

Thats where creating a custom role for all users, and only allowing administrators access to everything else. the custom role wouldn't include any of the update or editing related caps.

Note: See TracTickets for help on using tickets.