Make WordPress Core

Opened 3 years ago

Last modified 3 months ago

#39174 new feature request

Introduce network roles

Reported by: flixos90 Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: needs-patch needs-unit-tests
Focuses: multisite Cc:

Description (last modified by flixos90)

We have been discussing introducing network roles during multisite office-hours several times. The original concept for roles on multisite/multinetwork was the following:

Site Administrator < Network Administrator (currently also called "Super Admin") < Global Administrator < Super Admin (special access via $super_admins global, has all capabilities automatically)

This ticket is about network roles in particular, but we need to figure out the entire concept we'll be going with beforehand.

After the initial discussions which happened several weeks ago, I started playing around with that idea and created a plugin with network roles which is available at https://github.com/felixarntz/wp-network-roles. The details on that plugin are described in this Google doc (and are probably worth reading to understand the following discussion better): https://docs.google.com/document/d/1MWwwKmhBJookr5dEcYga4sBtCwvx-K8uSucBFx6SP9U/edit#

I just had a long conversation with @johnbillion around this topic where we agreed on some ideas, disagreed on others, were entirely unsure about others. The following bullet points sum up what we talked about / which questions we raised.

  • The original idea of network roles was that these roles behave similar to regular site roles: They all have a set of capabilities they can perform. These capabilities can apply to either the site or network level. This allows for roles like the current "Super Admin" / "Network Administrator" that has access to everything a site administrator has, but also to any network admin functionality - however it also allows for roles like a possible "Network Editor" which would be the same as if a user had the "Editor" role on every site of the network.
    • Should we support both of these concepts? Or should network roles only affect the actual network admin area? If the latter, which roles would we even need in Core itself (in addition to the "Super Admin" / "Network Administrator")? This decision would also affect whether we should support inheritance of network capabilities to site capabilities or whether network roles would just be additional kind of roles for a user. An example to clarify:
      • First approach: The "Super Admin" / "Network Administrator" has all the capabilities a regular site administrator has, plus the network admin area capabilities (like manage_network or manage_network_options), so they automatically behave as if they were a site administrator on every site in the network.
      • Second approach: The "Super Admin" / "Network Administrator" role only has network admin area capabilities (like manage_network or manage_network_options), so the user also needs to have the site administrator role for each site they want to access. (probably not?)
    • If we support inheritance, can we handle the two kinds of roles together? A "Network Administrator" that has access to the network admin area is conceptually a bit different from a "Network Editor" who can only access all site admin areas on that network. If we find solid descriptive names, we're probably good here. For example, instead of having a "Network Administrator" being the role where one can access the network admin and at the same point be an administrator on all the network's sites, maybe that role should rather be called "Network Manager", while "Network Administrator" is a different role which basically means that user is an administrator on all the network's sites, but cannot access the network admin area.
    • We would certainly need to handle that in a slow migration path: If we introduce a network role system with a predefined set of capabilities in let's say 4.8, we write a dev-note at the same time that tells plugin authors that they now need to add their custom capabilities to the new network role because that role no longer automatically can do anything. At this point however we still keep the current super admin functionality in sync so that the role actually still can do anything. We wait until 2-3 releases later to actually remove the sync thing, which means we get rid of the site_admin network option and from that point on use is_super_admin() and get_super_admins() only to retrieve users specified in the $super_admins global.
    • Is this the right approach at all? Currently the "Super Admin" / "Network Administrator" can do "anything but..." rather than having a predefined set of capabilities. While we can address that with a migration like described above, we still need to think about whether it is the right way to do it. Maybe we need a concept like "Role X can do anything under certain circumstances unless specifically denied".
  • How should we handle Multisite / Multinetwork? Multisite is the "easy" thing here - for all of the changes here we need to consider Multinetwork especially, even though it is not really supported by Core at this point.
  • What do we think a "Super Admin" is? Is that a network administrator with specific capabilities, is it kind of a global administrator or is it a special thing that can do anything, thus not having a predefined set of capabilities? Core itself doesn't really know what a super admin is at this point. In most setups it is a network administrator / network manager as it's stored in a network option. But if you use the $super_admins global, it suddenly turns into some kind of a global administrator. Which of the two are we going to stick with for that terminology?
  • Can we rename the term "Super Admin" at all (in terms of BC)? It would probably become either "Network Administrator" or "Network Manager" depending on the approach. If we can't rename it and keep the name for the "network administrator" role, how are we going to handle the higher role level?

This will likely become a feature project, but this ticket is for more discussion beforehand.

Change History (6)

#1 @flixos90
3 years ago

  • Description modified (diff)

A few related bits of information / background:

Btw "Description modified" is only about a few format tweaks, so don't bother re-reading the ticket description if you have already.

#2 @johnjamesjacoby
3 years ago

@jeremyfelt summarized my thoughts pretty nicely:

  • Site administrator (one or more sites)
  • Network administrator (one or more networks)
  • Global administrator (full control of WordPress installation)
  • Super Admin (sudo mode, emergency access controlled via global $super_admins, etc...)

In all traditional multisite installations with only 1 network, the last 3 are effectively all the same thing, since there's only 1 network admin who also happens to be the global and super admin for all sites and the 1 network. When activating multisite, the user doing it automatically is granted those special privileges.

The concept of a "Global administrator" doesn't make much sense until you consider the things in WordPress that are truly, truly global that would require a global dashboard:

  • Users
  • Sign-ups
  • Registration log
  • Networks

In other words:

  • Site: wp-admin
  • Network : wp-admin/network
  • Global: wp-admin/global

Without a global dashboard, the concept of a global administrator starts to feel very much like a Super Admin, especially when 99 times out of 100 there will be no difference.

In my experience, the major thing to protect is user data.

  • Should site admins be able to edit users? In multisite, the answer is no.
  • Should network admins be able to edit users? Currently, yes, but I think the new answer should be no.
  • Should global admins be able to edit users? When invented, I think yes, but behind a capability check.
  • Should super admins be able to edit users? Yes, and delete, and bypass all capability checks.

There's a natural hierarchy with global/network/site roles, also:

  • Site admins have control over the site
  • Network admins have control over the all sites in that network, and the network itself
  • Global admins have control over all sites and networks in that installation, and the global stuff too
  • Super admins have unfettered access to everything in the system

This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.

3 years ago

This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.

2 years ago

#5 @Mista-Flo
2 years ago

@flixos90 I like your approach, I like the idea of a Network Editor role and so on, it sems to be a valuable feature, the user would only edit posts from all sites of the network without any network dashboard access. We could have a network role which only care about users for example too.

About the difference between "Super Admin" / "Network Administrator" and the concept of Super Admin, I have no opinion, it seems to be the hardest point. I tend to be agree with @johnjamesjacoby explanation.

I also like the name of Network Manager instead of Network Administrator, this seems to be two different behavior like you said, network administrators will be a user admin of all sites of the network while the network manager can handle Network Admin dashboard.

#6 @desrosj
3 months ago

  • Keywords needs-patch needs-unit-tests added
  • Milestone changed from Awaiting Review to Future Release
Note: See TracTickets for help on using tickets.