WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#13304 closed defect (bug) (fixed)

Disallow the creation of a /blog/ site

Reported by: ocean90 Owned by: wpmuguru
Milestone: 3.0 Priority: normal
Severity: blocker Version:
Component: Multisite Keywords: has-patch
Focuses: Cc:

Description

Add a check on ms-sites and sign up to disallow the creation of a /blog/ site, because it'S reserved for the main site.

Attachments (4)

reserved_names.patch (681 bytes) - added by jwriteclub 5 years ago.
Adds an extra check to 'create_empty_blog'
14902.patch (1.4 KB) - added by jorbin 5 years ago.
14920.patch (1.5 KB) - added by jorbin 5 years ago.
14920.2.patch (1.5 KB) - added by jorbin 5 years ago.

Download all attachments as: .zip

Change History (20)

comment:1 @nacin5 years ago

We need to prevent these from being valid, aside from also blocking them in ms-settings:
$reserved_blognames = array( 'page', 'comments', 'blog', 'wp-admin', 'wp-includes', 'wp-content', 'files', 'feed' );

comment:2 @wpmuguru5 years ago

(In [14516]) don't allow blog sub site in folder install, see #13304

@jwriteclub5 years ago

Adds an extra check to 'create_empty_blog'

comment:3 @jwriteclub5 years ago

  • Keywords has-patch dev-feedback has-patch needs-feedback added
  • Priority changed from highest omg bbq to normal
  • Severity changed from major to normal

Here's a first whack at it.

It seems to work, but it may not be as robust as necessary

comment:4 @jwriteclub5 years ago

Actually, this should probably use '$sitemetaillegal_names?[]' instead of $reserved_names

comment:5 follow-up: @nacin5 years ago

  • Keywords needs-feedback removed
  • Severity changed from normal to major

We were talking about this in IRC, it should be reserved_blognames for names we must absolutely block, such as blog, files, wp-includes, wp-content, etc. Illegal names can be changed in the admin and they should be for signups only.

Reserved names should be blocked when creating a site in the admin, via signup, and also when trying to query said site in ms-settings (as it is there now).

That said, the array should be filterable.

comment:6 @jwriteclub5 years ago

Well, I left the patch as $reserved_names, but, do we have an existing filter for it? Or do we need to add a new filter to cause it to be called?

comment:7 @ocean905 years ago

  • Keywords needs-patch added; has-patch dev-feedback removed
  • Severity changed from major to blocker

We need a global, filterable array: $reserved_blognames. On each place (sign up, ms sites), where we can create a site, we need this array and check, if the name is allowed.

comment:8 in reply to: ↑ 5 @wpmuguru5 years ago

Replying to nacin:

We were talking about this in IRC, it should be reserved_blognames for names we must absolutely block, such as blog, files, wp-includes, wp-content, etc. Illegal names can be changed in the admin and they should be for signups only.

Reserved names should be blocked when creating a site in the admin, via signup, and also when trying to query said site in ms-settings (as it is there now).

That said, the array should be filterable.

Users are not allowed to sign up with a '-' in the blogname. So, the only ones that need to be blocked are blog & files.

Since we are expecting a basic level of competency in super admins, I am opposed to putting a hard coded block in that prevents super admins from creating wp- conflicting sites.

comment:9 @wpmuguru5 years ago

(In [14681]) block creation of 'files' sub site, see #13304

comment:10 @ocean905 years ago

  • Resolution set to fixed
  • Status changed from new to closed

/blog/ is now blocked. Not on ms-sites page, but "we are expecting a basic level of competency in super admins". So this is fixed.
blocker: -1

comment:11 @nacin5 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Re-opening after discussion in #13527. I'm expecting a basic level of competency of super admins too, but frankly a "blog" subsite will be the first thing most people create. We need to disallow bad ones everywhere, not just on registration, and control them via a filter.

comment:12 @mitchoyoshitaka5 years ago

As reporter of #13527, let me also redouble nacin here: reading over this thread, I understand the argument that "we are expecting a basic level of competency in super admins" but I see this as only really making sense for the wp- names which everyone knows exists... as an experienced WP user who actually ran into this issue, it's not self-evident why /blog doesn't work.

@jorbin5 years ago

comment:13 @jorbin5 years ago

  • Cc aaron@… added
  • Keywords ux-feedback has-patch added; needs-patch removed

I added a patch that checks againgst the array of:

'page', 'comments', 'blog', 'files', 'feed'

both for signups and for admin created blogs. There is a filter that allows it to be overridden. I imagine there might be some ux feedback on my error message so I'm tagging as such. Right now it reads:

blog, comments, page, files and feed are not vaild names and are reserved for use by WordPress


comment:14 @wpmuguru5 years ago

Ensure that those are only blocked in the appropriate version folder or subdomain install. http://blog.domain.com is fine. All of these are fine as subdomains:

'page', 'comments', 'blog', 'files', 'feed'

@jorbin5 years ago

comment:15 @jorbin5 years ago

  • Keywords ux-feedback removed

wpmuguru - both parts check for ! is_subdomain_install() before checking the subdirectory_reserved_names list.

I've updated the wording based on IRC https://irclogs.wordpress.org/chanlog.php?channel=wordpress-dev&day=2010-05-26#m137155

@jorbin5 years ago

comment:16 @nacin5 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

(In [14928]) Prevent super admins from shooting themselves in the foot. props jorbin. Checks blog names against an array (filterable) of reserved keywords for subdirectory installs. fixes #13304.

Note: See TracTickets for help on using tickets.