WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 11 days ago

#53694 new defect (bug)

Multisite: Capability check isn't strict enough when hard deleting a site

Reported by: henry.wright Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Networks and Sites Keywords: has-patch needs-testing
Focuses: multisite Cc:

Description

If the second argument passed to wpmu_delete_blog() is true, then a site can be hard deleted. By hard deleted I mean the site's database table will be dropped.

My understanding is, the delete_sites capability is granted to super administrators only. delete_sites will let the super administrator hard delete a site. Administrators don't have this capability. Instead, administrators have the delete_site capability.

In wp-admin/network/sites.php, wpmu_delete_blog() is called with true as the second argument. The capability check in this case is delete_site. Should this be delete_sites?

Attachments (1)

53694.diff (481 bytes) - added by henry.wright 4 months ago.

Download all attachments as: .zip

Change History (3)

@henry.wright
4 months ago

#1 @henry.wright
4 months ago

  • Keywords has-patch added

53694.diff fixes the capability check before hard deleting a site in the network.

#2 @henry.wright
11 days ago

  • Keywords needs-testing added
Note: See TracTickets for help on using tickets.