WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#23820 closed defect (bug) (invalid)

Multisite: Cannot give unfiltered_html to administrator

Reported by: dyordan1 Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.5.1
Component: Multisite Keywords:
Focuses: Cc:

Description

I need to have all administrators (regular, not network admins) on a network be able to add unfiltered html and I found an interesting bug (or feature if there's a reason to disallow to anyone but network admin?). I might be missing something but the code below seems contradictory. (Logged in as admin while running the code)

$theAdmin = get_role('administrator');
$theAdmin->add_cap('unfiltered_html');

global $current_user;

var_dump($current_user->has_cap('unfiltered_html')); //bool(false)
var_dump($current_user->allcaps['unfiltered_html']); //bool(true)

Change History (6)

#1 @dyordan1
6 years ago

  • Summary changed from Multisite: Cannot give unfiltered html to administrator to Multisite: Cannot give unfiltered_html to administrator

#2 @SergeyBiryukov
6 years ago

  • Component changed from General to Multisite

#3 in reply to: ↑ description ; follow-up: @johnbillion
6 years ago

Replying to dyordan1:

I need to have all administrators (regular, not network admins) on a network be able to add unfiltered html

There's a plugin for that: http://wordpress.org/extend/plugins/unfiltered-mu/

#4 in reply to: ↑ 3 ; follow-up: @dyordan1
6 years ago

Replying to johnbillion:

Replying to dyordan1:

I need to have all administrators (regular, not network admins) on a network be able to add unfiltered html

There's a plugin for that: http://wordpress.org/extend/plugins/unfiltered-mu/

That plugin has not been updated in a while and I don't believe in installing a plugin for a single line of code I need. I also know about the oEmbed functionality of wordpress but that's not what I'm looking for either. My purpose is to give admins unfiltered_html period and that doesn't seem to be working. I looked at the code of has_cap but couldn't figure out what was going wrong so I submitted it here.

#5 in reply to: ↑ 4 ; follow-up: @obenland
6 years ago

  • Keywords 2nd-opinion removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Replying to dyordan1:

I looked at the code of has_cap but couldn't figure out what was going wrong so I submitted it here.

This is not a support forum. We have an actual support forum for that.


That plugin has not been updated in a while and I don't believe in installing a plugin for a single line of code I need.

This is unfortunate. The fact that is hasn't been updated in two years does not mean it doesn't work anymore. Especially having the authors that it has.

Unfiltered html for roles other than the super admin will (most likely) never happen, for the reasons outlined in the plugin description: "Any user could add Javascript code to steal the login cookies of any visitor who runs a blog on the same site. The rogue user can then inpersonate any of those users and wreak havoc." Just recently we had another prove of that in r21774.

#6 in reply to: ↑ 5 @dyordan1
6 years ago

Replying to obenland:

Replying to dyordan1:

I looked at the code of has_cap but couldn't figure out what was going wrong so I submitted it here.

This is not a support forum. We have an actual support forum for that.

has_cap is a core function. Look at the code I posted and if you tell me it really is a support question I'll leave this closed and move along.

That plugin has not been updated in a while and I don't believe in installing a plugin for a single line of code I need.

This is unfortunate. The fact that is hasn't been updated in two years does not mean it doesn't work anymore. Especially having the authors that it has.

Unfiltered html for roles other than the super admin will (most likely) never happen, for the reasons outlined in the plugin description: "Any user could add Javascript code to steal the login cookies of any visitor who runs a blog on the same site. The rogue user can then inpersonate any of those users and wreak havoc." Just recently we had another prove of that in r21774.

I am not asking to see it in core, I am trying to do it on one customized theme which will be used on one network with full control over who gets administrator roles.

Note: See TracTickets for help on using tickets.