#14454 closed defect (bug) (fixed)
function map_meta_cap does not use the user ID when checking super admin
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 3.0.1 | Priority: | normal |
| Severity: | major | Version: | 3.0 |
| Component: | Role/Capability | Keywords: | has-patch capability check super admin |
| Focuses: | Cc: |
Description
The function map_meta_cap in capabilities.php is checking for super admins in various places like:
case 'edit_users': // If multisite these caps are allowed only for super admins. if ( is_multisite() && !is_super_admin() ) $caps[] = 'do_not_allow'; else $caps[] = 'edit_users'; // Explicit due to primitive fall through break;
or
case 'delete_user': case 'delete_users': // If multisite these caps are allowed only for super admins. if ( is_multisite() && !is_super_admin() ) $caps[] = 'do_not_allow'; else $caps[] = $cap; break;
In both cases, the function is_super_admin is used without any parameter. That leads to check if the currently connected user is a super admin and not the user passed to the function map_meta_cap.
In my opinion, this is a bug and the correct code should be:
case 'edit_users': // If multisite these caps are allowed only for super admins. if ( is_multisite() && !is_super_admin($user_id) ) $caps[] = 'do_not_allow'; else $caps[] = 'edit_users'; // Explicit due to primitive fall through break;
and
case 'delete_user': case 'delete_users': // If multisite these caps are allowed only for super admins. if ( is_multisite() && !is_super_admin($user_id) ) $caps[] = 'do_not_allow'; else $caps[] = $cap; break;
I am right ?
Attachments (1)
Change History (8)
Note: See
TracTickets for help on using
tickets.
Here's the changes in patch form.