WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 10 months ago

Last modified 10 months ago

#20824 closed defect (bug) (wontfix)

current_user_can() bug with Super Admin

Reported by: abdessamad idrissi Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.2
Component: Users Keywords:
Focuses: Cc:

Description

If the logged in user is a super admin this returns true;

if (current_user_can('contributor')) echo 'current user is a contributor';

Normally it should return false as it does for administrator, author, editor and subscriber account types.

I spotted this while working in my localhost Multisite install then figured it doesn't work in the live standalone version!

Attachments (1)

capabilities.php.patch (3.8 KB) - added by rodrigosprimo 18 months ago.
Implementation of WP_Users->has_role() and current_user_has_role()

Download all attachments as: .zip

Change History (11)

comment:1 @scribu3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

You should not pass role names to current_user_can(); only capabilities.

Also, the only way to test for super-admins is by using is_super_admin().

Last edited 3 years ago by scribu (previous) (diff)

comment:2 @abdessamad idrissi3 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

But in the codex;

...this function accepts capability or role name.

The same thing is stated in the wp-includes/capabilities.php

So what to believe?

I don't want to check if user is super admin, I want to check if the user is contributor. Of course there's other techniques to make this happen but I just wanted to report a bug in this function as it fails when it comes to super admins.

comment:3 @scribu3 years ago

  • Milestone set to Awaiting Review

I updated the codex page.

From WP_User::has_cap():

		// Multisite super admin has all caps by definition, Unless specifically denied.
		if ( is_multisite() && is_super_admin( $this->ID ) ) {
			if ( in_array('do_not_allow', $caps) )
				return false;
			return true;
		}

current_user_can('contributor') usually works only because role names are mangled up with capability names. We should update the inline docs.

comment:4 @scribu3 years ago

In general, it would be nice to have WP_User->has_role().

Version 0, edited 3 years ago by scribu (next)

comment:5 @abdessamad idrissi3 years ago

Would be good to update the inline doc too so the codex page won't get wrongly re-modified!

comment:7 @rodrigosprimo18 months ago

  • Cc rodrigosprimo@… added

@rodrigosprimo18 months ago

Implementation of WP_Users->has_role() and current_user_has_role()

comment:8 @rodrigosprimo16 months ago

Considering comment:10:ticket:22624, should we close this ticket?

comment:9 @rodrigosprimo10 months ago

  • Resolution set to wontfix
  • Status changed from reopened to closed

Nacin mentioned on a similar ticket that this is not going to be implemented:

comment:10:ticket:22624

comment:10 @DrewAPicture10 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.