Opened 5 years ago
Last modified 5 years ago
#49287 new defect (bug)
Users with no page deletion capabilities can delete homepage in multisite
Reported by: | robdxw | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Role/Capability | Keywords: | |
Focuses: | multisite | Cc: |
Description
To recreate:
- Set up a vanilla multisite. On one of the sites, set a static page as the homepage. Create a second page for comparison purposes.
- Create a standard administrator user on that site. By default, they have permission to delete both the pages referred to above (expected behaviour).
- Add the following to the theme's
functions.php
:
add_action('init', function () { $role = get_role('administrator'); $role->remove_cap('delete_pages'); $role->remove_cap('delete_others_pages'); $role->remove_cap('delete_published_pages'); });
The administrator role is now unable to delete pages EXCEPT the page that is set as the homepage, which they are still able to trash.
It appears this bug exists in v4.7 onwards. In 4.6.1 I see the expected behaviour: this code prevents an administrator from trashing any pages, including the page set as the homepage.
Note: See
TracTickets for help on using
tickets.
Further info: removing the
manage_options
capability prevents the user being able to delete the page set as the homepage.