#42332 closed defect (bug) (worksforme)
delete_site permission is not working as it should
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | minor | Version: | 4.2 |
| Component: | Role/Capability | Keywords: | |
| Focuses: | multisite | Cc: |
Description
in changeset:31673 the delete_site action got it's own capability, but from what I tested it's not working.
When the function map_meta_cap in capabilities.php stumbling upon delete_site capability it registers it as manage_option.
That means that the condition if(current_user_can( 'delete_site' )) will always be falsey, because there's not scenario when map_meta_cap is producing it.
The current (unwanted) behavior is when delete_site explicitly is given beyond the scope of the administrator role, the option is not shown in the admin menu, and when using the direct url ms-delete-site.php a permission error is shown.
Change History (3)
#2
@
6 years ago
- Resolution set to worksforme
- Severity changed from normal to minor
- Status changed from new to closed
Thanks for the quick response, @johnbillion.
I saw that delete_site was not the only permission that uses that sort of "meta capability" logic, and I must say it's kind of a weird behavior.
I didn't see any reference to it in the codex or other documentation, and my assertion was that if I'm explicitly giving some role a certain capability, it should work without any supplements of support on my behalf.
I can't think of a use case when someone gives a delete_site capability to certain role and doesn't expect that role to have it.
But I guess that's how the permission system works, and of course - your solution of using the map_meta_cap filter worked like a charm.
Thank you very much for explaining that logic and providing a valid solution.
Thanks for the report, @Shebo.
The
delete_sitecapability is a meta capability, which means the capability is only granted to a user or a role at runtime according to logic (in this case, mapping it to themanage_optionsprimitive capability). Granting a meta capability directly to a user or a role won't work.In order to actually grant a user the
delete_sitecapability, you'll also need to implement a filter such as the following in addition to granting them thedelete_sitecapability via their user or their role:add_filter( 'map_meta_cap', function( array $required_caps, $cap, $user_id, array $args ) { if ( 'delete_site' === $cap ) { $required_caps = array( 'delete_site', ); } return $required_caps; }, 10, 4 );Can you let us know if this works as expected?