WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#41326 closed defect (bug) (invalid)

current_user_can('Administrator') does not return true in multisite if user is Administrator but NOT Super Admin

Reported by: subrataemfluence Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Networks and Sites Keywords:
Focuses: ui, administration, multisite Cc:
PR Number:

Description

In multisite mode, when I am removing menu pages (remove_menu_page) for a particular user role (weather-alert-editor) those menu items get disappeared for site admin as well, meaning the menu settings for admin is being overwritten by that of weather-alert-editor! Admin should have default access to everything unless otherwise specified, but this is not happening here.

function restrict_admin_access_by_role() {
   if(function_exists('remove_menu_page')) {
      if(current_user_can('weather-alert-editor')) {
	remove_menu_page('tools.php');
	remove_menu_page('options-general.php');
	remove_menu_page('themes.php');
	remove_menu_page('edit.php?post_type=tradeshow');
	remove_menu_page('jetpack');
	remove_submenu_page('yrc_settings_page', 'yrc_home_settings_page');
      }
      elseif(current_user_can('fuel-surcharge-editor')) {
	remove_menu_page('tools.php');
	remove_menu_page('options-general.php');
	remove_menu_page('themes.php');
	remove_menu_page('edit.php?post_type=tradeshow');
	remove_menu_page('edit.php?post_type=weather_alert');
	remove_menu_page('jetpack');
	remove_menu_page('yrc_settings_page');
     }
   }
}

add_action('admin_init', 'restrict_admin_access_by_role', 999);

Not sure if it is a bug, but I don'f find any documentation or a workaround for this.

Change History (3)

#1 follow-up: @SergeyBiryukov
2 years ago

  • Component changed from Administration to Networks and Sites
  • Keywords close added

In Multisite, current_user_can() always returns true for super admins, regardless of the capability being checked. Even current_user_can( 'create_unicorns' ) would return true :)

See #35007 and the comment in WP_User::has_cap().

Admin should have default access to everything unless otherwise specified, but this is not happening here.

You should add a ! is_super_admin() check to your function.

#2 in reply to: ↑ 1 @subrataemfluence
2 years ago

Replying to SergeyBiryukov:

Oh! I was wrong about the the concept of is_super_admin. Thought it is Network Admin! Thank you.

In Multisite, current_user_can() always returns true for super admins, regardless of the capability being checked. Even current_user_can( 'create_unicorns' ) would return true :)

See #35007 and the comment in WP_User::has_cap().

Admin should have default access to everything unless otherwise specified, but this is not happening here.

You should add a ! is_super_admin() check to your function.

#3 @voldemortensen
2 years ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.8 deleted
Note: See TracTickets for help on using tickets.