#42332 closed defect (bug) (worksforme)
delete_site permission is not working as it should
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | 4.2 |
Component: | Role/Capability | Keywords: | |
Focuses: | multisite | Cc: |
Description
in changeset:31673 the delete_site
action got it's own capability, but from what I tested it's not working.
When the function map_meta_cap
in capabilities.php
stumbling upon delete_site
capability it registers it as manage_option
.
That means that the condition if(current_user_can( 'delete_site' ))
will always be falsey, because there's not scenario when map_meta_cap
is producing it.
The current (unwanted) behavior is when delete_site
explicitly is given beyond the scope of the administrator
role, the option is not shown in the admin menu, and when using the direct url ms-delete-site.php
a permission error is shown.
Change History (3)
#2
@
6 years ago
- Resolution set to worksforme
- Severity changed from normal to minor
- Status changed from new to closed
Thanks for the quick response, @johnbillion.
I saw that delete_site
was not the only permission that uses that sort of "meta capability" logic, and I must say it's kind of a weird behavior.
I didn't see any reference to it in the codex or other documentation, and my assertion was that if I'm explicitly giving some role a certain capability, it should work without any supplements of support on my behalf.
I can't think of a use case when someone gives a delete_site
capability to certain role and doesn't expect that role to have it.
But I guess that's how the permission system works, and of course - your solution of using the map_meta_cap
filter worked like a charm.
Thank you very much for explaining that logic and providing a valid solution.
Thanks for the report, @Shebo.
The
delete_site
capability is a meta capability, which means the capability is only granted to a user or a role at runtime according to logic (in this case, mapping it to themanage_options
primitive capability). Granting a meta capability directly to a user or a role won't work.In order to actually grant a user the
delete_site
capability, you'll also need to implement a filter such as the following in addition to granting them thedelete_site
capability via their user or their role:add_filter( 'map_meta_cap', function( array $required_caps, $cap, $user_id, array $args ) { if ( 'delete_site' === $cap ) { $required_caps = array( 'delete_site', ); } return $required_caps; }, 10, 4 );
Can you let us know if this works as expected?