Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#14066 closed defect (bug) (fixed)

has_cap() bug when logged in as super-admin

Reported by: bigdawggi Owned by:
Milestone: 3.0.1 Priority: normal
Severity: major Version: 3.0
Component: Role/Capability Keywords: has-patch capabilities, user, permissions
Focuses: Cc:


I've working with a site that has a plugin that adds custom capabilities. When logged in as a super-admin, on the user edit screen (editing a subscriber, not my own profile) all the capabilities were checked.

The plugin (Role Manager) properly grabs the currently-edited user object and calls the has_cap() method on it to see if the user has the current capability.

During the has_cap() check WordPress does the following:

if ( is_multisite() && is_super_admin() ) {
	if ( in_array('do_not_allow', $caps) )
		return false;
	return true;

The is_super_admin() function defaults to the logged-in user if no user ID is passed. Since has_cap() isn't passing the current object's user ID (i.e., $this->ID) it's checking my super-user's capabilities and returning a false positive.

I suggest we pass the current object's user ID into the is_super_admin() method in this instance, so that it's properly checking the object's capabilities instead of falling back to the currently logged in user.

if ( is_multisite() && is_super_admin($this->ID) ) {
	if ( in_array('do_not_allow', $caps) )
		return false;
	return true;

Patch is attached.

Attachments (1)

capabilities.has_cap.diff (346 bytes) - added by bigdawggi 4 years ago.

Download all attachments as: .zip

Change History (4)

comment:1 Denis-de-Bernardy4 years ago

  • Keywords has-patch added
  • Milestone changed from Unassigned to 3.0.1
  • Severity changed from normal to major

comment:2 ryan4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [15311]) Pass ID to is_super_admin(). Props bigdawggi. fixes #14066 for 3.1

comment:3 ryan4 years ago

(In [15312]) Pass ID to is_super_admin(). Props bigdawggi. fixes #14066 for 3.0.1

Note: See TracTickets for help on using tickets.