WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#14854 closed defect (bug) (worksforme)

Default admin username is not "admin" any longer per default

Reported by: hakre Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Role/Capability Keywords:
Focuses: multisite Cc:

Description

But 3.0.0 introduced API function get_super_admins(); has it hardcoded as default:

/**
 * Retrieve a list of super admins.
 *
 * @since 3.0.0
 *
 * @uses $super_admins Super admins global variable, if set.
 *
 * @return array List of super admin logins
 */
function get_super_admins() {
	global $super_admins;

	if ( isset($super_admins) )
		return $super_admins;
	else
		return get_site_option( 'site_admins', array('admin') );
}

the concrete line is:
return get_site_option( 'site_admins', array( 'admin' ) );

in file /wp-includes/capabilities.php.

Attachments (1)

14854.patch (467 bytes) - added by hakre 4 years ago.
fix fix

Download all attachments as: .zip

Change History (11)

comment:1 hakre4 years ago

It was the default, unchangeable username of the default administrator in wordpress versions prior to 3.0. Related: #10396

comment:2 dd324 years ago

  • Keywords multisite added

Note: The only time the default condition of 'admin' will be hit here is when the site_admins option doesnt exist, or is corrupt. The Network install will populate this with the correct values.

Personally i'm not sure why there is a default specified here at all, as it shouldn't ever have to fall back like that.

comment:3 dd324 years ago

  • Version set to 3.0

It was also raised by myself here: #12815

The illegal_names meta by default includes 'admin' as well, So users cannot register with the 'admin' name in the event that it's not in use.

I would still prefer to remove the default values and handle a false (ie. no super admin exists) condition somehow instead in the functions where it's needed.

comment:4 hakre4 years ago

I thought about having this empty for default as well because I asked myself quite the same question. The option should be set otherwise the blog isn't properly configured.

I'll do a patch for this one.

hakre4 years ago

fix fix

comment:5 hakre4 years ago

Note: I have not rated the severity of this when doing the issue. So this must not be a blocker or so at all. It's just something that was caught be my eyes when I made some edits.

comment:6 follow-up: nacin4 years ago

This is left over from MU. I would rather not commit this then lock out a ton of MU-era administrators who may not have the value set.

comment:7 nacin4 years ago

  • Component changed from Security to Role/Capability

comment:8 in reply to: ↑ 6 hakre4 years ago

Replying to nacin:

This is left over from MU. I would rather not commit this then lock out a ton of MU-era administrators who may not have the value set.

Maybe something to add into the MU->WP migration part?

comment:9 hakre4 years ago

Is it true that there are MU setups that do not have that value set?

comment:10 westi4 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

This is back compat with old MU installs and I don't think we need to remove this.

Note: See TracTickets for help on using tickets.