WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#32935 closed defect (bug) (fixed)

Deleting a super admin user via wpmu_delete_user should not be possible

Reported by: jeremyfelt Owned by: jeremyfelt
Milestone: 4.3 Priority: normal
Severity: normal Version: 3.0
Component: Users Keywords: has-patch
Focuses: multisite Cc:

Description

We restrict super admins from deletion in the UI and should follow that same guideline in wpmu_delete_user() as well to avoid possible confusion.

Attachments (2)

32935.diff (1.6 KB) - added by jeremyfelt 3 years ago.
32935.2.diff (3.2 KB) - added by jeremyfelt 3 years ago.

Download all attachments as: .zip

Change History (5)

@jeremyfelt
3 years ago

#1 @jeremyfelt
3 years ago

32935.diff uses the same method as wp-admin/network/users.php to determine if the user being deleted is a member of the super admins group before continuing. Also adds tests for the deletion of super admins.

@jeremyfelt
3 years ago

#2 @jeremyfelt
3 years ago

32935.2.diff updates the tests a bit to manage the global super admins. My VM is being strange right now, so I'm not sure they pass.

#3 @jeremyfelt
3 years ago

  • Owner set to jeremyfelt
  • Resolution set to fixed
  • Status changed from new to closed

In 33143:

Do not allow deletion of a super admin user through wpmu_delete_user().

In step with the UI provided by wp-admin/network/users.php, super admin privileges must be removed before a user can be deleted through the API.

Props @johnjamesjacoby, @jeremyfelt.
Fixes #32935.

Note: See TracTickets for help on using tickets.