Opened 8 years ago
Last modified 7 years ago
#37616 reviewing task (blessed)
Replace `is_super_admin()` calls with real capability checks
Reported by: | flixos90 | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Role/Capability | Keywords: | |
Focuses: | multisite | Cc: |
Description
As discussed in Multisite office hours (https://wordpress.slack.com/archives/core-multisite/p1470762377000454), there are plans to improve capability handling in WordPress, to also support network-wide (and possibly global) capabilities. The current is_super_admin()
check system is no actual role- and capability-based system which makes it impractical to refine roles and capabilities on this level.
While a super admin should have access to all capabilities, we should get rid of all is_super_admin()
checks that happen outside of WP_User
and the map_meta_cap()
function and replace those calls with dedicated capabilities. There might be a few other occurrences where is_super_admin()
is actually the right choice, but generally it shouldn't be used in other locations anymore. This will open up new possibilities to think about how we can implement a true role- and capability-based system beyond the scope of a site.
The hardest part of this ticket will probably be finding names for the new capabilities. The good thing is that we most likely won't need to touch any roles or adjust map_meta_cap()
since the new capabilities should only be granted to the super admin for now anyway.
We should probably create a list of occurrences and think about names for the capabilities (or whether we can use existing capabilities) first.
Change History (67)
#2
in reply to:
↑ description
@
8 years ago
Replying to flixos90:
While a super admin should have access to all capabilities, we should get rid of all is_super_admin() checks that happen outside of WP_User and the map_meta_cap() function
I think this is the perfect way to phrase it. :)
The hardest part of this ticket will probably be finding names for the new capabilities. The good thing is that we most likely won't need to touch any roles or adjust
map_meta_cap()
since the new capabilities should only be granted to the super admin for now anyway.
We'll probably figure out a strategy as we get started, but my first guess is that we'd want to create new tickets for each new capability introduced and then use that ticket to decide on the name and make all of the related replacements.
Thanks for the list @Presskopp!
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
#5
@
8 years ago
- Owner set to flixos90
- Status changed from new to assigned
I'll look over all the occurrences and prepare some thoughts over these by some time next week.
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
#7
@
8 years ago
I looked through all occurrences of is_super_admin()
as listed above (ignoring those that are inside map_meta_cap()
as we likely cannot get around these until we have dedicated network role management).
I identified three general types of changes we need to do. The following is a list of the is_super_admin()
occurrences and my suggestions how to handle them.
Get rid of checks:
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/edit-form-advanced.php#L311 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/class-wp-posts-list-table.php#L1407
- remove check, other cap should be sufficient
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/menu.php#L31
- remove check, the data isn't used anywhere under that condition (not sure why that check is there)
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/users.php#L324 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/users.php#L380
- could be handled in
map_meta_cap()
instead (see check below respectively)
- could be handled in
Use existing capabilities:
- https://core.trac.wordpress.org/browser/trunk/src/wp-includes/admin-bar.php#L287 and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/admin-bar.php#L386 and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/admin-bar.php#L401 and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/admin-bar.php#L457 and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/link-template.php#L3473 and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/link-template.php#L3479 and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/option.php#L797 and https://core.trac.wordpress.org/browser/trunk/src/wp-includes/option.php#L961 and https://core.trac.wordpress.org/browser/trunk/src/wp-signup.php#L825
- use capability
manage_network
- use capability
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/options.php#L77 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/options.php#L163
- use
manage_network_options
- use
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/ajax-actions.php#L249 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/user-new.php#L40 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/user-new.php#L221 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/user-new.php#L309 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/users.php#L125
- adjust capability
promote_users
- adjust capability
Introduce new capabilities:
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/ms.php#L690
- introduce capability
import_users
- introduce capability
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/ms.php#L759
- introduce capability
upgrade_network
- introduce capability
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/network.php#L18
- introduce capability
setup_multisite
and add it to administrator role (it would make sense to change the related menu item to use that capability as well)
- introduce capability
- https://core.trac.wordpress.org/browser/trunk/src/wp-includes/ms-functions.php#L579
- introduce capability
unfiltered_sites
- introduce capability
- https://core.trac.wordpress.org/browser/trunk/src/wp-includes/ms-load.php#L84
- introduce capability
see_blocked_sites
- introduce capability
- https://core.trac.wordpress.org/browser/trunk/src/wp-admin/options-general.php#L344 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/options-general.php#L349 and https://core.trac.wordpress.org/browser/trunk/src/wp-admin/options.php#L184
- introduce capability
install_languages
- introduce capability
A note on the above: There are several capabilities that are available to admins on a regular setup, but only to a super admin on multisite:
- out of the above capabilities, we would need to change
promote_users
to become such a capability (adddo_not_allow
viamap_meta_cap()
if on multisite and user is not a super admin) - out of the above capabilities, the new capabilities
install_languages
and maybeimport_users
would need to be added to the administrator role, but then be handled inmap_meta_cap()
as well (do_not_allow
if on multisite and user is not a super admin) - the new capability
setup_multisite
needs to be added to the administrator role - the other new capabilities only apply to super admins so they wouldn't need to be added to any role for now
About the next steps: The above occurrences add up to 12 groups in total (some of these occurrences are certainly directly related, therefore less groups then occurrences). I think we should start opening 12 individual tickets for these for further discussion after we have some initial feedback (in this ticket).
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
#9
@
8 years ago
- Owner changed from flixos90 to jeremyfelt
- Status changed from assigned to reviewing
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
#11
@
8 years ago
- Keywords needs-patch added
If any new capabilities are introduced, they should be added to the final block of case
statements in map_meta_cap()
so they can be unit tested in Tests_User_Capabilities
.
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
This ticket was mentioned in Slack in #core by jeffpaul. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
#16
@
8 years ago
- Keywords early added
- Milestone changed from 4.7 to Future Release
Moving this to future release. We'll be focusing on this for 4.8. I assigned the early tag so that we know to assign it to the 4.8 milestone immediately. Some tickets associated with this will go in early, others don't have to.
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
#21
@
8 years ago
- Keywords early removed
- Milestone changed from Future Release to 4.8
- Owner jeremyfelt deleted
Bumping to the 4.8 cycle as it's something we want to start focusing on now. We'll be having a discussion in #core-multisite on Nov 22 at 17:00 UTC to walk through this and start making some decisions.
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
#23
@
8 years ago
In today's multisite office hours we started reviewing the proposed changes from above. The goal is to decide the right approach for each occurrence of is_super_admin()
and then determine how these changes should be handled in terms of additional tickets.
This comment serves as a summary for today's progress. It will describe every ticket we agreed on so far.
- Ticket 1: remove 2 checks in
wp-admin/edit-form-advanced.php
andwp-admin/includes/class-wp-posts-list-table.php
- Ticket 2: replace 1 check with
current_user_can( 'update_core' )
inwp-admin/menu.php
- Ticket 3: move the logic to prevent non-super admins/network administrators from removing themselves into
map_meta_cap()
and then remove the 2 additional clauses (including the one more specific error message) inwp-admin/users.php
- Ticket 4: replace 4 checks with
current_user_can( 'manage_network' )
inwp-includes/admin-bar.php
- Ticket 5: replace 2 checks with
user_can( $user_id, 'manage_network' )
inwp-includes/link-template.php
(make sure to pass the$user_id
to both calls, it looks like a bug currently); also add unit tests forget_dashboard_url()
; in addition the clause in https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/class-wp-users-list-table.php#L413 can also be simplified after that change
We will continue reviewing that list (starting with the occurrences in wp-includes/option.php
) tomorrow (Wednesday) at 17:00 UTC in https://wordpress.slack.com/messages/core-multisite. Please make sure to join if you're available and interested in helping out.
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
8 years ago
#26
@
8 years ago
Results from today's meeting (continues the above comment):
- Ticket 6: replace 2 checks with
current_user_can( 'manage_network' )
inwp-includes/option.php
- Ticket 7: replace 1 check with
current_user_can( 'manage_network' )
inwp-signup.php
; in addition, change the message string toGreetings Network Administrator! The network currently allows “%s” registrations. To change or disable registration go to your <a href="%s">Options page</a>.
and the$i18n['blog']
string tosite
to match current naming conventions - Ticket 8: replace 2 checks with
current_user_can( 'manage_network_options' )
inwp-admin/options.php
(lines 77 and 163) - Ticket 9: replace 2 checks with
current_user_can( 'manage_network_users' )
inwp-admin/includes/ajax-actions.php
andwp-admin/user-new.php
(line 228) - Ticket 10: replace 2 checks with
current_user_can( 'manage_network_users' )
inwp-admin/user-new.php
(lines 40 and 316) - Ticket 11: remove 1 check in
wp-admin/user-new.php
(line 66): it's not necessary and might even be considered a bug (right now, when adding a network administrator who's already on the site, that user is still invited again which makes no sense); the$username != null
check might be removed as well, but that should be discussed on another ticket
The review will continue (starting with the occurrence in wp-admin/users.php
) during the next multisite office hours (Tuesday 17:00 UTC).
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
#28
@
8 years ago
Results from today's meeting (completes the above two comments):
- Ticket 12: replace 1 check with
current_user_can( 'manage_network_users' )
inwp-admin/users.php
- Ticket 13: replace 1 check with
current_user_can( 'manage_network_users' )
inwp-admin/includes/ms.php
(line 707) - Ticket 14: replace 1 check with
current_user_can( 'upgrade_database' )
inwp-admin/includes/ms.php
(line 776); this is a completely new capability, thus it needs to be documented (needs-dev-note) and added to the capability unit tests - Ticket 15: replace 1 check with
current_user_can( 'manage_options' )
inwp-admin/network.php
- Ticket 16: remove the entire clause in
wp-includes/ms-functions.php
line 579; the filterwpmu_validate_blog_signup
should be used if this functionality is needed; this change is backward-incompatible and therefore needs to be documented (needs-dev-note) - Ticket 17: open a new ticket to implement dedicate site (and maybe network capabilities, such as
current_user_can( 'manage_site', $site_id )
orcurrent_user_can( 'manage_network', $network_id )
; after having figured this out, replace 1 check withcurrent_user_can( 'manage_site', $blog->id )
inwp-includes/ms-load.php
(line 84) and move it below theget_site()
call - Ticket 18: replace 1 check with
current_user_can( 'manage_options' )
inwp-admin/options-general.php
(line 349) - Ticket 19: discuss the future of how translation installs should be handled, in tickets #38664 and #38673; then the checks in
wp-admin/options-general.php
(line 344) andwp-admin/options.php
(line 184) can either be completely removed or be replaced with a capability as a result of that discussion
That's it for reviewing this ticket. We have 19 tickets to handle in total several of which are very straightforward now. Let's start working on these over the next couple of weeks. Only tickets 17 and 19 rely on other discussions to happen first, so we can tackle the others immediately. When opening a ticket, please reference it in this thread as well.
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
#35
@
8 years ago
Hi @flixos90
I have create Ticket 6: #39199 and also applied patch.
Please check and let me know if its fine.
#37
@
8 years ago
#42
@
8 years ago
To summarize:
- Ticket 6: #39199
- Ticket 7: #39209
- Ticket 8: #39200
- Ticket 9: #39201
- Ticket 10: #39202
- Ticket 11: #39220
- Ticket 12: #39204
- Ticket 13: #39212
- Ticket 14: #39205
- Ticket 15: #39206
- Ticket 16: #39676
- Ticket 18: #39207
Thanks a lot to @Dhaval Parekh @abhishek kaushik @dhanendran @chandrapatel @ashokkumar24 @sathyapulse @jignesh.nakrani - feel free to open the other ones as well (except 17 and 19 since they need something else to happen first)! :)
#43
@
8 years ago
Hi @flixos90
I have create Ticket 13.
Here is the link: https://core.trac.wordpress.org/ticket/39212
And also attached the patch.
This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.
8 years ago
#45
@
8 years ago
Hi @flixos90
I have create Ticket 11.
Here is the link: https://core.trac.wordpress.org/ticket/39220
And also attached the patch. Please check.
This ticket was mentioned in Slack in #core-multisite by jjj. View the logs.
8 years ago
#62
@
8 years ago
- Keywords needs-patch removed
Just an update on the current state:
Out of the original list, #39205 is almost done; #39676 is still open for other reasons, but the is_super_admin()
check has already been removed.
Still to-do:
- Replace check in
wp-includes/ms-load.php
(line 84) withcurrent_user_can( 'manage_site', $blog->id )
and move it below theget_site()
call. This relies on #39156 to be completed prior. - Replace the checks in
wp-admin/options-general.php
(line 147) andwp-admin/options.php
(line 185) with capabilities for managing translations. This relies on #39677 to be completed prior.
Unfortunately I found further occurrences of is_super_admin()
that we missed before (apparently we didn't look for occurrences of is_super_admin( $user_id )
). Individual tickets will need to be opened for those as well, but I'll list them here including suggestions on how to get rid of them:
- Remove check in
wp-admin/includes/schema.php
(line 957) and instead only query users with the 'administrator' role in the above query. This usage only occurs on non-multisite, so it is essentially the same as looking for site administrators. - Replace the following checks with
user_can( $user_id, 'manage_network' )
(these are general checks whether a user is a super admin and therefore we should use the most basic capability to determine that, which ismanage_network
):wp-admin/includes/class-wp-ms-users-list-table.php
(line 208)wp-admin/upgrade.php
(lines 265 and 281)wp-admin/network/site-new.php
(line 132)wp-admin/network/users.php
(line 69)wp-admin/user-edit.php
(line 157)wp-includes/ms-functions.php
(line 1188)wp-login.php
(line 835)
#65
@
8 years ago
To-Do:
- Replace check in
wp-includes/ms-load.php
(line 84) withcurrent_user_can( 'manage_site', $blog->id )
and move it below the get_site() call. This relies on #39156 to be completed prior. - Replace the checks in
wp-admin/options-general.php
(line 147) andwp-admin/options.php
(line 185) with capabilities for managing translations. This relies on #39677 to be completed prior. - Replace the following checks with
user_can( $user_id, 'manage_network' )
(these are general checks whether a user is a super admin and therefore we should use the most basic capability to determine that, which ismanage_network
):wp-admin/includes/class-wp-ms-users-list-table.php
(line 208)wp-admin/upgrade.php
(lines 265 and 281)wp-admin/network/site-new.php
(line 132)wp-admin/network/users.php
(line 69)wp-admin/user-edit.php
(line 157)wp-includes/ms-functions.php
(line 1188)wp-login.php
(line 835)
No tickets have been opened yet for any of the above three items.
At your service: