Make WordPress Core

Opened 2 months ago

Last modified 7 weeks ago

#49668 new defect (bug)

Multisite: export/erase requests initiated in a sub-site should check whether the user belongs to that sub-site

Reported by: pbiron Owned by:
Milestone: 5.5 Priority: normal
Severity: normal Version:
Component: Privacy Keywords: has-patch
Focuses: multisite, privacy Cc:


As of 5.4, when an export request is initiated from within a specific sub-site in a multisite, wp_user_personal_data_exporter() will export user data for a user even if that user is not registered on that sub-site.

wp_user_personal_data_exporter() should be modified to check that the user is registered on the sub-site where the request was initiated.

Note: wp_media_personal_data_exporter() and wp_comment_personal_data_exporter() do not need to be modified as the tables they query are specific to the sub-site, whereas the user table is global.

Related: #44176

Attachments (1)

49668.diff (953 bytes) - added by pbiron 2 months ago.

Download all attachments as: .zip

Change History (4)

2 months ago

#1 @pbiron
2 months ago

  • Keywords has-patch added

49668.diff limits user privacy exports initiated from a multisite blog (including the main site) to users registered on that blog.

A few notes:

  1. the ! is_network_admin() check isn't needed as of right now, but I put it in there in anticipation of #43738, which is asking that export/erase requests be available at the network level
  2. we'll have to think about how to make it easy for custom exporters to also limit exports in a similar fashion (which might just have to be in documentation...haven't given it much thought yet)
  3. this is not yet ready to be committed, and should just be considered a POC at this point

This ticket was mentioned in Slack in #core-privacy by pbiron. View the logs.

8 weeks ago

This ticket was mentioned in Slack in #core-privacy by garrett-eclipse. View the logs.

7 weeks ago

Note: See TracTickets for help on using tickets.