Opened 9 years ago
Last modified 6 weeks ago
#36803 new defect (bug)
ms-files.php: inconsistent behaviour for upload visibility on archived sites
Reported by: | antwortzeit | Owned by: | |
---|---|---|---|
Milestone: | 6.8 | Priority: | normal |
Severity: | normal | Version: | 4.5.2 |
Component: | Media | Keywords: | has-patch |
Focuses: | multisite | Cc: |
Description
Hey,
i just ran into an odd issue on one of our clients Multisites. I archived the said site and – as you know – it remains accessible for network admins. The matching files however don't. I followed this down to ms-files.php::21ff.
<?php if ( $current_blog->archived == '1' || $current_blog->spam == '1' || $current_blog->deleted == '1' ) { status_header( 404 ); die( '404 — File not found.' ); }
You see that ms-files.php checks, if the blog is archived (or spam or deleted) and than throws out a 404. Shouldn't this include a check for network admin users to see the files? Or, if that's not desirable, couldn't we make this check accessible for filters?
Thanks for the good work!
Christian
Change History (5)
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
This ticket was mentioned in PR #7696 on WordPress/wordpress-develop by @debarghyabanerjee.
6 weeks ago
#4
- Keywords has-patch added; needs-patch removed
Trac Ticket: Core-36803
## Description:
- An issue was identified in the multisite installations where archived sites remain accessible to network administrators, but the associated files do not. This behavior originates from the logic in ms-files.php, particularly around line 21:
if ( $current_blog->archived == '1' || $current_blog->spam == '1' || $current_blog->deleted == '1' ) { status_header( 404 ); die( '404 — File not found.' ); }
- The current implementation checks if the blog is archived, marked as spam, or deleted, and subsequently returns a 404 error for file requests. However, this does not account for network administrators who should retain access to these files.
## Proposed Solution
- An additional check using is_super_admin() has been implemented. This adjustment allows network administrators to access files even if the site is archived, spam, or deleted. The modified code snippet is as follows:
if ( ( $current_blog->archived == '1' || $current_blog->spam == '1' || $current_blog->deleted == '1' ) && ! is_super_admin() ) { status_header( 404 ); die( '404 — File not found.' ); }
## Benefits
- Enhanced Access for Network Administrators: This change ensures that network admins can access necessary files for archived sites, improving usability and functionality.
- Preservation of Current Logic: The existing restrictions remain in place for regular users, maintaining intended access controls.
Hi @antwortzeit, thanks for taking the time to open a ticket. We should be able to provide some more consistency here.
It looks like the safest way would be to add an
is_super_admin()
check rather than rely on any other capabilities. Becausems-files.php
usesSHORTINIT
, some of our other options are limited.