WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 8 weeks ago

#41443 new enhancement

Update /wp-admin/network/site-new.php to use wpmu_validate_blog_signup()

Reported by: neversettle Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.8
Component: Networks and Sites Keywords:
Focuses: multisite Cc:

Description

Is there a good reason that /wp-admin/network/site-new.php uses it's own hard-coded blogname validation rules? Shouldn't it just call wpmu_validate_blog_signup() for DRY as well as a consistent / universal application of filters across all new site names? It seems crazy to have two different sets of validation for the same thing. And as multisite plugin developers we see network admins confused by the different behavior of site-new.php and sites created through plugins which use wpmu_validate_blog_signup().

Change History (3)

This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.


8 weeks ago

#2 follow-up: @flixos90
8 weeks ago

Thanks for the ticket @neversettle, and welcome to Trac!

The reason that wpmu_validate_blog_signup() is not used there is that the function is supposed to handle new sites signed up by users. It is not intended to be used for network admins creating sites, which have all these permissions anyway.

You're right that there is some overlap, such as subdirectory reserved names, but this logic has already been outsourced and is used in both areas through get_subdirectory_reserved_names(). wpmu_validate_blog_signup() has some extra restrictions, such as the /[^a-z0-9]+/ regex, minimum site name length or check against a blacklist of illegal names. However I consider this difference intended, since admins should not need these restrictions.

Let's discuss this a bit and think about whether it makes sense to enforce some of these restrictions to network admins creating new sites as well.

#3 in reply to: ↑ 2 @neversettle
8 weeks ago

Replying to flixos90:

Thanks for the ticket @neversettle, and welcome to Trac!

Thank you, and the explanation is really appreciated! That distinction makes sense, but I wonder if it can be improved. It seems like "unsafe" characters / problematic site names (whether subdir or subdomain mode) should apply to both user-registration and admins. I think super admins should be protected from creating site names that will result in broken sites. On the other side, if characters are safe for an admin to use in a site name why shouldn't a registration-based user be allowed to use them as well?

Maybe it would be as simple as having an additional filter for the admin context with the same validation that new-site.php uses. Or, if I am missing something, what validation should plugins be calling right before passing a new site name to wpmu_create_blog()? It seems like even in an admin context, there should be something more than just checking get_subdirectory_reserved_names() first, which is why we've always used wpmu_validate_blog_signup(). But that has the consistency issue between user vs. admin.

From our perspective consistency in "safe" / "allowed" names is more important than flexibility for the admins. What we've found generally is that any site name an admin would actually create manually they'd also want their users to be able to create through self-registration.

Note: See TracTickets for help on using tickets.