WordPress.org
Get WordPress

Make WordPress Core

Opened 4 years ago

Closed 4 months ago

Last modified 4 months ago

#53694 closed defect (bug) (wontfix)

Multisite: Capability check isn't strict enough when hard deleting a site

Reported by: henrywright's profile henry.wright Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Networks and Sites Keywords: has-patch
Focuses: multisite Cc:

Description

If the second argument passed to wpmu_delete_blog() is true, then a site can be hard deleted. By hard deleted I mean the site's database table will be dropped.

My understanding is, the delete_sites capability is granted to super administrators only. delete_sites will let the super administrator hard delete a site. Administrators don't have this capability. Instead, administrators have the delete_site capability.

In wp-admin/network/sites.php, wpmu_delete_blog() is called with true as the second argument. The capability check in this case is delete_site. Should this be delete_sites?

Attachments (1)

53694.diff (481 bytes) - added by henry.wright 4 years ago.

Download all attachments as: .zip

Change History (5)

@henry.wright
4 years ago

#1 @henry.wright
4 years ago

  • Keywords has-patch added

53694.diff fixes the capability check before hard deleting a site in the network.

#2 @henry.wright
4 years ago

  • Keywords needs-testing added

#3 @johnjamesjacoby
4 months ago

  • Keywords needs-testing removed
  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Should this be delete_sites?

I think delete_site is OK.

See [31673] for the introduction of delete_site. It was manage_options previously, and it still maps to it currently.

My understanding is, the delete_sites capability is granted to super administrators only

Correct, grouped via map_meta_cap() with other super-admin caps such as create_sites and manage_sites.

Administrators don't have this capability. Instead, administrators have the delete_site capability.

Correct again – delete_site is also a meta capability, currently like:

case 'delete_site':
	if ( is_multisite() ) {
		$caps[] = 'manage_options';
	} else {
		$caps[] = 'do_not_allow';
	}
	break;

The capability check in this case is delete_site.

It is somewhat confusing that almost all delete_site cap checks pass in a blog ID (similar to other singular capabilities like delete_post) even though it is not used by WordPress internally, but then menu.php is forced to use it without one from [31673] – but it is nice to pass in for plugins to use.

(We could have the delete_site meta-cap default to get_current_blog_id(), but that would make it different from all of the other ID-based singular mapped caps that _doing_it_wrong() if no ID is passed.)

Let's close this as wontfix, and we can maybe open a new issue later for the delete_site inconsistencies.

Note: See TracTickets for help on using tickets.