WordPress.org

Make WordPress Core

Opened 23 months ago

Last modified 4 months ago

#20824 reopened defect (bug)

current_user_can() bug with Super Admin

Reported by: abdessamad idrissi Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.3.2
Component: Users Keywords:
Focuses: Cc:

Description

If the logged in user is a super admin this returns true;

if (current_user_can('contributor')) echo 'current user is a contributor';

Normally it should return false as it does for administrator, author, editor and subscriber account types.

I spotted this while working in my localhost Multisite install then figured it doesn't work in the live standalone version!

Attachments (1)

capabilities.php.patch (3.8 KB) - added by rodrigosprimo 7 months ago.
Implementation of WP_Users->has_role() and current_user_has_role()

Download all attachments as: .zip

Change History (9)

comment:1 scribu23 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

You should not pass role names to current_user_can(); only capabilities.

Also, the only way to test for super-admins is by using is_super_admin().

Last edited 23 months ago by scribu (previous) (diff)

comment:2 abdessamad idrissi23 months ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

But in the codex;

...this function accepts capability or role name.

The same thing is stated in the wp-includes/capabilities.php

So what to believe?

I don't want to check if user is super admin, I want to check if the user is contributor. Of course there's other techniques to make this happen but I just wanted to report a bug in this function as it fails when it comes to super admins.

comment:3 scribu23 months ago

  • Milestone set to Awaiting Review

I updated the codex page.

From WP_User::has_cap():

		// Multisite super admin has all caps by definition, Unless specifically denied.
		if ( is_multisite() && is_super_admin( $this->ID ) ) {
			if ( in_array('do_not_allow', $caps) )
				return false;
			return true;
		}

current_user_can('contributor') usually works only because role names are mangled up with capability names. We should update the inline docs.

comment:4 scribu23 months ago

In general, it would be nice to have WP_User->has_role('contributor').

Last edited 23 months ago by scribu (previous) (diff)

comment:5 abdessamad idrissi23 months ago

Would be good to update the inline doc too so the codex page won't get wrongly re-modified!

comment:7 rodrigosprimo7 months ago

  • Cc rodrigosprimo@… added

rodrigosprimo7 months ago

Implementation of WP_Users->has_role() and current_user_has_role()

comment:8 rodrigosprimo4 months ago

Considering comment:10:ticket:22624, should we close this ticket?

Note: See TracTickets for help on using tickets.