WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #39174


Ignore:
Timestamp:
12/08/2016 04:46:17 AM (4 years ago)
Author:
flixos90
Comment:

A few related bits of information / background:

Btw "Description modified" is only about a few format tweaks, so don't bother re-reading the ticket description if you have already.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #39174 – Description

    initial v1  
    11We have been discussing introducing network roles during multisite office-hours several times. The original concept for roles on multisite/multinetwork was the following:
    22
    3 ''Site Administrator < Network Administrator (currently also called "Super Admin" < Global Administrator < Super Admin (special access via `$super_admins` global, has all capabilities automatically)''
     3''Site Administrator < Network Administrator (currently also called "Super Admin") < Global Administrator < Super Admin (special access via `$super_admins` global, has all capabilities automatically)''
    44
    55This ticket is about network roles in particular, but we need to figure out the entire concept we'll be going with beforehand.
     
    1414    * If we support inheritance, can we handle the two kinds of roles together? A "Network Administrator" that has access to the network admin area is conceptually a bit different from a "Network Editor" who can only access all site admin areas on that network. If we find solid descriptive names, we're probably good here. For example, instead of having a "Network Administrator" being the role where one can access the network admin and at the same point be an administrator on all the network's sites, maybe that role should rather be called "Network Manager", while "Network Administrator" is a different role which basically means that user is an administrator on all the network's sites, but cannot access the network admin area.
    1515    * We would certainly need to handle that in a slow migration path: If we introduce a network role system with a predefined set of capabilities in let's say 4.8, we write a dev-note at the same time that tells plugin authors that they now need to add their custom capabilities to the new network role because that role no longer automatically can do anything. At this point however we still keep the current super admin functionality in sync so that the role actually still can do anything. We wait until 2-3 releases later to actually remove the sync thing, which means we get rid of the `site_admin` network option and from that point on use `is_super_admin()` and `get_super_admins()` only to retrieve users specified in the `$super_admins` global.
    16     * Is this the right approach at all? Currently the "Super Admin" / "Network Administrator" can do "anything but..." rather than having a predefined set of capabilities. While we can address that with a migration like described above, we still need to think about whether it _is_ the right way to do it. Maybe we need a concept like "Role X can do anything under certain circumstances unless specifically denied".
     16    * Is this the right approach at all? Currently the "Super Admin" / "Network Administrator" can do "anything but..." rather than having a predefined set of capabilities. While we can address that with a migration like described above, we still need to think about whether it ''is'' the right way to do it. Maybe we need a concept like "Role X can do anything under certain circumstances unless specifically denied".
    1717* How should we handle Multisite / Multinetwork? Multisite is the "easy" thing here - for all of the changes here we need to consider Multinetwork especially, even though it is not really supported by Core at this point.
    1818* What do we think a "Super Admin" is? Is that a network administrator with specific capabilities, is it kind of a global administrator or is it a special thing that can do anything, thus not having a predefined set of capabilities? Core itself doesn't really know what a super admin is at this point. In most setups it is a network administrator / network manager as it's stored in a network option. But if you use the `$super_admins` global, it suddenly turns into some kind of a global administrator. Which of the two are we going to stick with for that terminology?