Opened 3 years ago
Last modified 3 years ago
#53694 new defect (bug)
Multisite: Capability check isn't strict enough when hard deleting a site
Reported by: | henry.wright | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Networks and Sites | Keywords: | has-patch needs-testing |
Focuses: | multisite | Cc: |
Description
If the second argument passed to wpmu_delete_blog()
is true
, then a site can be hard deleted. By hard deleted I mean the site's database table will be dropped.
My understanding is, the delete_sites
capability is granted to super administrators only. delete_sites
will let the super administrator hard delete a site. Administrators don't have this capability. Instead, administrators have the delete_site
capability.
In wp-admin/network/sites.php, wpmu_delete_blog()
is called with true
as the second argument. The capability check in this case is delete_site
. Should this be delete_sites
?
Attachments (1)
Change History (3)
Note: See
TracTickets for help on using
tickets.
53694.diff fixes the capability check before hard deleting a site in the network.