Make WordPress Core

Opened 3 years ago

Closed 20 months ago

Last modified 18 months ago

#53224 closed defect (bug) (fixed)

Super admin cannot set an application password on a site they're not a member of

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 6.1 Priority: normal
Severity: normal Version: 5.6
Component: Application Passwords Keywords: has-patch has-unit-tests dev-feedback add-to-field-guide needs-user-docs
Focuses: multisite Cc:

Description

Steps to reproduce:

  1. Log into a Multisite installation as a Super Admin
  2. Visit the admin area of a site you're not a member of
  3. Visit your profile editing screen on that site (/wp-admin/profile.php)
  4. Try to add an application password
  5. Observe a mystery error message of "Invalid user ID"

This is due to this piece of logic which requires that the user is a member of the current site in order to set an application password.

To fix this, one of the following should be done:

  1. Skip this check for Super Admins and always allow them to add an application password
  2. Improve the error message and direct them to their network admin profile

Attachments (1)

53224.diff (769 bytes) - added by ilovecats7 3 years ago.

Download all attachments as: .zip

Change History (18)

#1 @TimothyBlynJacobs
3 years ago

  • Keywords good-first-bug added
  • Milestone changed from Awaiting Review to Future Release

Skipping the check for super admins makes sense to me!

@ilovecats7
3 years ago

#2 @ilovecats7
3 years ago

  • Keywords has-patch dev-feedback added; needs-patch removed

This ticket was mentioned in PR #1538 on WordPress/wordpress-develop by johnbillion.


3 years ago
#3

  • Keywords has-unit-tests added

#4 @johnbillion
3 years ago

  • Keywords dev-feedback removed
  • Milestone changed from Future Release to 5.9

#5 @johnbillion
3 years ago

  • Keywords dev-feedback added; good-first-bug removed

The PR at https://github.com/WordPress/wordpress-develop/pull/1538 adds a test for this and switches to using a capability check instead of a direct check for is_super_admin(). Just need somebody (eg. @georgestephanis) to confirm that the manage_sites cap makes sense.

georgestephanis commented on PR #1538:


3 years ago
#6

Hrm. My MU-Fu is a bit on the weak side of late, I'm not sure if a global manage sites cap is best or -- is there maybe a manage_site( $site_id ) check, in case folks can manage one network but not another in the case of multi-network?

cc: @JJJ who I've always deferred to on this sort of thing for a hot take.

johnbillion commented on PR #1538:


3 years ago
#7

Unfortunately there's no further granularity to manage_sites, see https://core.trac.wordpress.org/ticket/36940

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


2 years ago

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


2 years ago

#10 @audrasjb
2 years ago

  • Milestone changed from 5.9 to 6.0

As per today's bug scrub:
Since there's still some ongoing discussion in the PR, let's move this ticket to milestone 6.0.

#11 @peterwilsoncc
2 years ago

@johnjamesjacoby is the TL;DR of your comment on the PR that @johnbillion's selection of the manage_sites cap check is correct?

This ticket was mentioned in Slack in #core by mike. View the logs.


23 months ago

#13 @peterwilsoncc
23 months ago

  • Milestone changed from 6.0 to Future Release

This was discussed in a bug scrub today.

As it seems further consensus is needed on the PR, it was decided to move this from the milestone.

#14 @johnbillion
21 months ago

  • Milestone changed from Future Release to 6.1

#15 @johnbillion
20 months ago

  • Owner set to johnbillion
  • Resolution set to fixed
  • Status changed from new to closed

In 53882:

Application Passwords: Allow a Super Admin to set an application password on a site they're not a member of.

This removes the requirement that a Super Admin must be a member of the current site when they attempt to set an application password within the admin area of an individual site on the network.

Props TimothyBlynJacobs, ilovecats7, johnbillion, georgestephanis, johnjamesjacoby

Fixes #53224

#17 @milana_cap
18 months ago

  • Keywords add-to-field-guide needs-user-docs added
Note: See TracTickets for help on using tickets.