WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#35551 closed enhancement (fixed)

current_user_can always returns true for Super Admins (Doc update)

Reported by: finnj Owned by: DrewAPicture
Milestone: 4.5 Priority: normal
Severity: normal Version: 4.4.1
Component: Role/Capability Keywords:
Focuses: docs Cc:

Description

Codex documentation needs update on current_user_can()

The documentation does not state, that current_user_can("capability") always will return true if user is Super Admin - caused me some grief, that I would like to save others :)

I suggest to add the following to the Notes section:
current_user_can( $capability ) will aways return true if user is Super Admin, unless specifically denied

Below code is from: https://developer.wordpress.org/reference/classes/wp_user/has_cap/

// Multisite super admin has all caps by definition, Unless specifically denied.
    if ( is_multisite() && is_super_admin( $this->ID ) ) {
        if ( in_array('do_not_allow', $caps) )
            return false;
        return true;
    }

Change History (10)

#1 @ericlewis
5 years ago

  • Milestone changed from Awaiting Review to Future Release

#2 @ericlewis
5 years ago

Seems like a good idea to say this in our docs in the right places.

#3 @jeremyfelt
5 years ago

We do have it noted inline already. Unless we want to be more explicit in the function docs.

@finnj The Codex can be updated by any logged in user if you'd like to make a change there.

#4 follow-up: @finnj
5 years ago

@jeremyfelt the inline is on wp_user has_cap, not on current_user_can()

I added a note on the codex (didn't know I could), and tried on the code reference documentation, but I did not formal the link correctly so it does not look good - Most likely this will be captured by moderation, as I cant edit my note...

https://developer.wordpress.org/reference/functions/current_user_can/

you can close this ticket

#5 @jorbin
5 years ago

As current_user_can is the API function developers are expected to use, a reference on the inline docs makes sense to me. @DrewAPicture - would you agree?

#6 in reply to: ↑ 4 @jeremyfelt
5 years ago

Replying to finnj:

@jeremyfelt the inline is on wp_user has_cap, not on current_user_can()

Oops, I read too quickly. :) +1 for a reference on current_user_can().

#7 @DrewAPicture
5 years ago

  • Owner set to DrewAPicture
  • Status changed from new to reviewing

#8 @DrewAPicture
5 years ago

  • Milestone changed from Future Release to 4.5

Hi @finnj, nice catch :-)

#9 @DrewAPicture
5 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 36492:

Docs: Add a note to the DocBlock for current_user_can() to explain that it will always return true for super admins, unless specifically denied.

Props finnj.
Fixes #35551.

#10 @DrewAPicture
5 years ago

@finnj: Following [36492], I've removed your note from the reference page and have temporarily updated the function description, which will work until the reference is re-parsed for the 4.5 release.

Note: See TracTickets for help on using tickets.