WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#39199 closed enhancement (fixed)

Replace `is_super_admin()` checks with `manage_network` cap checks in wp-includes/option.php

Reported by: chandrapatel Owned by: flixos90
Milestone: 4.8 Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch
Focuses: multisite Cc:

Description

This is part of the #37616 task. There are 2 is_super_admin() checks in wp-includes/option.php that should be replaced with current_user_can( 'manage_network' ).

See https://core.trac.wordpress.org/ticket/37616#comment:26

Attachments (2)

39199.1.patch (582 bytes) - added by chandrapatel 2 years ago.
Replaced is_super_admin() with current_user_can( 'manage_network' )
39199.diff (1.2 KB) - added by flixos90 2 years ago.

Download all attachments as: .zip

Change History (10)

@chandrapatel
2 years ago

Replaced is_super_admin() with current_user_can( 'manage_network' )

#1 @chandrapatel
2 years ago

Hello,

Please ignore 39199.patch file. I've uploaded wrong patch. I am sorry.

Correct one is 39199.1.patch

#2 @flixos90
2 years ago

#39203 was marked as a duplicate.

#3 @flixos90
2 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 4.8
  • Owner set to flixos90
  • Status changed from new to assigned
  • Type changed from defect (bug) to enhancement

Thanks for the patch @chandrapatel - looking good!

#4 @johnbillion
2 years ago

  • Keywords 2nd-opinion added

The capability check here looks redundant. I think it can be removed and leave just the ! is_user_member_of_blog() check.

#5 @flixos90
2 years ago

  • Keywords needs-refresh added; 2nd-opinion removed

I agree with @johnbillion that the check is redundant. The check was introduced in 22256 to prevent the user settings from being set for a super admin who is not a member of the site. I think it makes sense for this restriction to exist for any kind of user, so we should be able to remove the check.

I noticed that this would also affect wp-admin/includes/dashboard.php line 490 - for some reason we missed this is_super_admin() occurrence entirely before, but it has exactly the same purpose like the ones in this ticket, so we can deal with it in here too.

This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.


2 years ago

@flixos90
2 years ago

#7 @flixos90
2 years ago

  • Keywords needs-refresh removed

39199.diff implements the new approach suggested in the last couple comments. It also replaces the individual check in wp-admin/includes/dashboard.php with an is_user_member_of_blog() call which is similar to what happened in 25109.

#8 @flixos90
2 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 39932:

Multisite: Do not check for is_super_admin() when trying to set user settings.

The checks were introduced in [22256] to prevent user settings to be set for super admins that were not a member of the current site. However the latter should apply to any kind of user, so the is_super_admin() check is redundant. Furthermore, removing these checks is necessary for the ongoing effort to get rid of is_super_admin() checks in general.

Props chandrapatel for initial patch.
Fixes #39199. See #37616.

Note: See TracTickets for help on using tickets.