WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#35007 closed defect (bug) (wontfix)

current_user_can('author') and current_user_can('contributor') returns true even if current user is administrator in multisite installation

Reported by: edville101 Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.4
Component: Role/Capability Keywords:
Focuses: multisite Cc:

Description

After I updated two different multi-site website to WP 4.4,
current_user_can('author') and current_user_can('contributor') are returning true even if the current user is administrator.

Change History (6)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Role/Capability
  • Focuses multisite added
  • Keywords close added

Hi @edville101,

You should not pass role names to current_user_can(), only capabilities.

This was previously reported in #20824, see the discussion there.

#2 @johnbillion
4 years ago

In 35863:

Add assertions for role names as capabilities in the capabilities tests. This ensures the role name is only available as a capability to the corresponding role.

See #35007

#3 @johnbillion
4 years ago

  • Keywords reporter-feedback added

As @SergeyBiryukov pointed out, role names shouldn't be used as capabilities. They work for the built-in roles but they shouldn't be relied on. For super admins, every capability will return true.

I've added some extra tests in [35863] which demonstrate that role names as capabilities work as expected for non-super-admins.

@edville101 Can you test this functionality with all your plugins deactivated and a default theme in use? And ensure that you're not using a super admin role. Thanks!

This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.


3 years ago

#5 @flixos90
3 years ago

  • Keywords close reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I replicated this bug, but it indeed only happens when the current user is a super-admin, as stated above. We could try to address this with a workaround in map_meta_cap(), but since using role names with current_user_can() is discouraged, I think we shouldn't address this now.

If this problem actually occurs when not using a super-admin account, please reopen. Thanks for the ticket @edville101!

Last edited 3 years ago by flixos90 (previous) (diff)

#6 @johnjamesjacoby
3 years ago

FWIW, current_user_can() should always return true for all super administrators (theoretically not for network administrators.)

I.E. current_user_can( 'create_unicorns' ) should return true for super admins.

If there are places where core is checking the role name vs. a capability, those should be tightened up, but plugin or theme authors checking these caps are, agreeably, risking an incompatibility against the anticipated environment.

Note: See TracTickets for help on using tickets.