Make WordPress Core

Opened 5 years ago

Last modified 21 months ago

#45818 new defect (bug)

ALLOW_UNFILTERED_UPLOADS does not work on multisite

Reported by: hube2's profile Hube2 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Upload Keywords:
Focuses: multisite Cc:


In a multisite environment ALLOW_UNFILTERED_UPLOADS does not work. It only works for super admin. /wp-includes/capabilities.php line ~385.

        case 'unfiltered_upload':
                if ( defined('ALLOW_UNFILTERED_UPLOADS') && ALLOW_UNFILTERED_UPLOADS && ( !is_multisite() || is_super_admin( $user_id ) )  )
                        $caps[] = $cap;
                        $caps[] = 'do_not_allow';

I have a site where the client needs to be able to upload files that are created by various CAD applications, too numerous to name them all, I don't even know them all. The mime type varies on these file depending on what application is creating them, there seems to be no standardization for extension/mime type in CAD applications and each file extension is only allowed a single mime type. Due to this I must constantly fiddle with the allowed files and mime types so that they can upload them. This is ridonkulous as there seems to be no other way on multisite to allow unfiltered uploads.

Change History (7)

#1 @desrosj
5 years ago

  • Focuses multisite added

#2 @desrosj
5 years ago

  • Version 5.0.2 deleted

#3 follow-up: @Hube2
5 years ago

If the goal is to completely prevent unfiltered uploads on multisite except for super admin then that if statement is correct. However, I don't see why this would be the case, but maybe I'm missing something. On the other hand, if the goal is to allow unfiltered uploads to super admins and all others as well if ALLOW_UNFILTERED_UPLOADS is true (which is what I would expect) then a couple of minor adjustments to the if statement will correct it

if ( ( defined('ALLOW_UNFILTERED_UPLOADS' ) &&
 ALLOW_UNFILTERED_UPLOADS ) || ( is_multisite() && is_super_admin( $user_id
 ) )  )

#4 @SergeyBiryukov
5 years ago

  • Component changed from General to Upload

#5 in reply to: ↑ 3 @SergeyBiryukov
5 years ago

Replying to Hube2:

If the goal is to completely prevent unfiltered uploads on multisite except for super admin then that if statement is correct.

Per [12630], that is indeed the goal.

#6 @Hube2
5 years ago

Then there should be a way to allow some file extensions to have multiple possible mime types. As I stated in the OP, CAD applications do not appear standardized. Different CAD applications use the same extension while setting a different mime type. It seems that every CAD app uses a different extension/mime combination, all of which appear to be completely valid according to the information I've been reading. With the setup in WP only one mime type can be set per extension (unless I'm missing something, if I am please point me to information). This makes it nearly impossible to allow anyone but a super admin on multisite to upload these files. In my opinion there needs to be a way to override this behavior. If I want to allow unfiltered uploads on my mulitsite installations then I should be able to accomplish this is some way without hacking core files, or expecting an entire software industry to use the same standard mime times where they have not done so for as long as there has been CAD software.

Version 1, edited 5 years ago by Hube2 (previous) (next) (diff)

#7 @jdorner
21 months ago

Until a solution is added in WP - here's a work around:

Note: See TracTickets for help on using tickets.