WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 4 months ago

#49287 new defect (bug)

Users with no page deletion capabilities can delete homepage in multisite

Reported by: robdxw Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords:
Focuses: multisite Cc:

Description

To recreate:

  • Set up a vanilla multisite. On one of the sites, set a static page as the homepage. Create a second page for comparison purposes.
  • Create a standard administrator user on that site. By default, they have permission to delete both the pages referred to above (expected behaviour).
  • Add the following to the theme's functions.php:
add_action('init', function () {
        $role = get_role('administrator');
        $role->remove_cap('delete_pages');
        $role->remove_cap('delete_others_pages');
        $role->remove_cap('delete_published_pages');
});

The administrator role is now unable to delete pages EXCEPT the page that is set as the homepage, which they are still able to trash.

It appears this bug exists in v4.7 onwards. In 4.6.1 I see the expected behaviour: this code prevents an administrator from trashing any pages, including the page set as the homepage.

Change History (1)

#1 @robdxw
4 months ago

Further info: removing the manage_options capability prevents the user being able to delete the page set as the homepage.

Note: See TracTickets for help on using tickets.