Opened 3 years ago
Last modified 3 years ago
#50260 new defect (bug)
Multisite - Getting actual user capabilities with get_role_caps() different with current_user_can()
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.4.1 |
Component: | Role/Capability | Keywords: | dev-feedback |
Focuses: | multisite | Cc: |
Description
If I check below user capabilities for Administrator then I get both capabilities as false
.
current_user_can( 'install_plugins' ) current_user_can( 'activate_plugins' )
But, If I check the same capabilities by login to the Super Administrator then both return true
.
The administrator user role has no such capabilities but, If we check the current user capabilities with:
$current_user = wp_get_current_user(); print_r( $current_user->allcaps ); print_r( $current_user->get_role_caps() );
Then for the administrator user role, I get below a list of capabilities:
// Array // ( // [switch_themes] => 1 // [edit_themes] => 1 // [activate_plugins] => 1 // [edit_plugins] => 1 // [edit_users] => 1 // [edit_files] => 1 // [manage_options] => 1 // [moderate_comments] => 1 // [manage_categories] => 1 // [manage_links] => 1 // [upload_files] => 1 // [import] => 1 // [unfiltered_html] => 1 // [edit_posts] => 1 // [edit_others_posts] => 1 // [edit_published_posts] => 1 // [publish_posts] => 1 // [edit_pages] => 1 // [read] => 1 // [level_10] => 1 // [level_9] => 1 // [level_8] => 1 // [level_7] => 1 // [level_6] => 1 // [level_5] => 1 // [level_4] => 1 // [level_3] => 1 // [level_2] => 1 // [level_1] => 1 // [level_0] => 1 // [edit_others_pages] => 1 // [edit_published_pages] => 1 // [publish_pages] => 1 // [delete_pages] => 1 // [delete_others_pages] => 1 // [delete_published_pages] => 1 // [delete_posts] => 1 // [delete_others_posts] => 1 // [delete_published_posts] => 1 // [delete_private_posts] => 1 // [edit_private_posts] => 1 // [read_private_posts] => 1 // [delete_private_pages] => 1 // [edit_private_pages] => 1 // [read_private_pages] => 1 // [delete_users] => 1 // [create_users] => 1 // [unfiltered_upload] => 1 // [edit_dashboard] => 1 // [update_plugins] => 1 // [delete_plugins] => 1 // [install_plugins] => 1 // [update_themes] => 1 // [install_themes] => 1 // [update_core] => 1 // [list_users] => 1 // [remove_users] => 1 // [promote_users] => 1 // [edit_theme_options] => 1 // [delete_themes] => 1 // [export] => 1 // [restrict_content] => 1 // [list_roles] => 1 // [administrator] => 1 // )
Here we can see the Administrator user has the capability:
// [install_plugins] => 1 // [activate_plugins] => 1
But, When we check them with current_user_can()
then both return false.
After debugging in dept I found that the do_not_allow
is set for the Non-super admin users for install_plugins capability.
case 'update_plugins': case 'delete_plugins': case 'install_plugins': case 'upload_plugins': case 'update_themes': case 'delete_themes': case 'install_themes': case 'upload_themes': case 'update_core': ... } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; .... break;
Same for the activate_plugins the capabilities are set as ["activate_plugins","manage_network_plugins"]
case 'activate_plugins': case 'deactivate_plugins': case 'activate_plugin': case 'deactivate_plugin': $caps[] = 'activate_plugins'; if ( is_multisite() ) { // update_, install_, and delete_ are handled above with is_super_admin(). $menu_perms = get_site_option( 'menu_items', array() ); if ( empty( $menu_perms['plugins'] ) ) { $caps[] = 'manage_network_plugins'; } } break;
So, Ideally only those capabilities need to return by $current_user->get_role_caps()
.
Those capabilities need to exclude from the list which current user cant perform. E.g. do_not_allow
.
I'm getting below capabilities as
false
with current_user_can():and
true
for below: