WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#18721 closed defect (bug) (wontfix)

Site admins can remove super admins from a site

Reported by: johnbillion Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3
Component: Multisite Keywords: close
Focuses: Cc:

Description

Pretty much what the title says. In multisite, a site administrator can remove a super admin from their site. I don't think this is desirable. A regular admin should not be able to change a super admin's access rights.

Change History (3)

comment:1 @scribu4 years ago

A super admin has access to all sites, no matter if he has ab=n actual role on that site.

The problem is that get_blogs_of_user() doesn't return all the blogs when it's called for a super-admin.

comment:2 @nacin4 years ago

  • Keywords close added; needs-patch removed

I don't think get_blogs_of_user() should return all blogs for a super admin. It should only return those that are explicit. I don't have a problem with admins being able to remove a super admin, either.

If you want to prevent this, it's pretty easy to hook into the promote_user meta cap.

comment:3 @wonderboymusic3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Nacin marked this "close" 10 months ago, no comments since.

Note: See TracTickets for help on using tickets.