#53224 closed defect (bug) (fixed)
Super admin cannot set an application password on a site they're not a member of
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 6.1 | Priority: | normal |
Severity: | normal | Version: | 5.6 |
Component: | Application Passwords | Keywords: | has-patch has-unit-tests dev-feedback add-to-field-guide needs-user-docs |
Focuses: | multisite | Cc: |
Description
Steps to reproduce:
- Log into a Multisite installation as a Super Admin
- Visit the admin area of a site you're not a member of
- Visit your profile editing screen on that site (
/wp-admin/profile.php
) - Try to add an application password
- Observe a mystery error message of "Invalid user ID"
This is due to this piece of logic which requires that the user is a member of the current site in order to set an application password.
To fix this, one of the following should be done:
- Skip this check for Super Admins and always allow them to add an application password
- Improve the error message and direct them to their network admin profile
Attachments (1)
Change History (18)
#1
@
4 years ago
- Keywords good-first-bug added
- Milestone changed from Awaiting Review to Future Release
This ticket was mentioned in PR #1538 on WordPress/wordpress-develop by johnbillion.
4 years ago
#3
- Keywords has-unit-tests added
Trac ticket: https://core.trac.wordpress.org/ticket/53224
#5
@
4 years ago
- Keywords dev-feedback added; good-first-bug removed
The PR at https://github.com/WordPress/wordpress-develop/pull/1538 adds a test for this and switches to using a capability check instead of a direct check for is_super_admin()
. Just need somebody (eg. @georgestephanis) to confirm that the manage_sites
cap makes sense.
georgestephanis commented on PR #1538:
4 years ago
#6
Hrm. My MU-Fu is a bit on the weak side of late, I'm not sure if a global manage sites cap is best or -- is there maybe a manage_site( $site_id ) check, in case folks can manage one network but not another in the case of multi-network?
cc: @JJJ who I've always deferred to on this sort of thing for a hot take.
johnbillion commented on PR #1538:
4 years ago
#7
Unfortunately there's no further granularity to manage_sites
, see https://core.trac.wordpress.org/ticket/36940
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
3 years ago
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
3 years ago
#10
@
3 years ago
- Milestone changed from 5.9 to 6.0
As per today's bug scrub:
Since there's still some ongoing discussion in the PR, let's move this ticket to milestone 6.0.
#11
@
3 years ago
@johnjamesjacoby is the TL;DR of your comment on the PR that @johnbillion's selection of the manage_sites
cap check is correct?
This ticket was mentioned in Slack in #core by mike. View the logs.
3 years ago
#13
@
3 years ago
- Milestone changed from 6.0 to Future Release
This was discussed in a bug scrub today.
As it seems further consensus is needed on the PR, it was decided to move this from the milestone.
#15
@
3 years ago
- Owner set to johnbillion
- Resolution set to fixed
- Status changed from new to closed
In 53882:
Skipping the check for super admins makes sense to me!