Make WordPress Core

Opened 18 months ago

Last modified 4 months ago

#58610 new feature request

Allow Custom CSS to Site Admins in Multisite

Reported by: anrghg's profile anrghg Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version:
Component: Customize Keywords:
Focuses: ui, css, administration, multisite Cc:

Description

I wonder whether anybody ever complained about the Custom CSS Editor not being available to site admins in multisite networks, in any of the 255 issues involving "Custom CSS" posted in Core Trac so far.

Many site admins can switch theme as well. Why should they not be able to fix their theme?

Solving this issue only takes deleting the following commented-out lines in wp-includes/capabilities.php:591.

case 'unfiltered_html':
        // Disallow unfiltered_html for all users, even admins and super admins.
        if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML ) {
                $caps[] = 'do_not_allow';
//      } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
//              $caps[] = 'do_not_allow';
        } else {
                $caps[] = 'unfiltered_html';
        }
        break;

Moreover, the Theme Customizer does not save any CSS containing HTML tags, so there never is any HTML in Custom CSS.

Change History (4)

#1 follow-ups: @lenasterg
18 months ago

Don't do that.
It would be better to have an option into the 'Network settings' admin page where each superadmin could select if he/she would allow the Custom CSS edit for the subsites.

@anrghg If you need it for a project of yours, either install the plugin https://wordpress.org/plugins/multisite-custom-css/ or add the following code into your custom functions file.

<?php
add_filter( 'map_meta_cap', 'multisite_custom_css_map_meta_cap', 20, 2 );
function multisite_custom_css_map_meta_cap( $caps, $cap ) {
        if ( 'edit_css' === $cap && is_multisite() ) {
                $caps = array( 'edit_theme_options' );
        }
        return $caps;
}

Bests,
Lena

#2 in reply to: ↑ 1 @anrghg
18 months ago

  • Type changed from defect (bug) to feature request

Replying to lenasterg:

Thank you very much for warning me, for the plugin and for its code.

When added in WordPress 4.7, the Custom CSS editor probably didn’t filter the CSS, hence the point about site admins “not trusted with unfiltered CSS.”

But today, the Custom CSS editor does filter the CSS. E.g. when CSS has HTML tags in it, it is not saved to the database. Hence the point about unfiltered CSS is currently invalid. As a result, this code should be part of WordPress Core.

Today, the now useless feature that this code is working around only screws WordPress up. I had no idea that we need an extra plugin to get WordPress to work as expected. How could I? I did do a Google search about the topic, to no avail.

Please correct me if I missed the point.

Thanks.

#3 in reply to: ↑ 1 @anrghg
18 months ago

I’ve tried to test the first Custom CSS editor in WordPress 4.7, but it broke my site and required a fresh install. From the Multisite Custom CSS plugin’s documentation written up by then I infer that CSS was not filtered back then. The current front-end CSS validation is effective since the Custom CSS editor does not work when JavaScript is turned off, and therefore it cannot save anything to the database unless it can check for interspersed HTML thanks to its JavaScript-driven front-end validator.

I think that if WordPress keeps denying Custom CSS access to site admins in multisite, this is only with respect to the existing plugin. Thanks a lot @lenasterg for advising to overcome this outdated policy by adding an option into the Network Settings, perhaps like this:

Theme Customizer Settings
Custom CSS   ☐ Allow site admins to add CSS to their site

Indeed the initially suggested solution would open a security hole since it would affect KSES filters as well, and the cited code is fine as-is:

<?php
case 'unfiltered_html':
        // Disallow unfiltered_html for all users, even admins and super admins.
        if ( defined( 'DISALLOW_UNFILTERED_HTML' ) && DISALLOW_UNFILTERED_HTML ) {
                $caps[] = 'do_not_allow';
        } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
                $caps[] = 'do_not_allow';
        } else {
                $caps[] = 'unfiltered_html';
        }
        break;

So I’ll definitely advise to install the Multisite Custom CSS plugin until the setting is added to Core.

This ticket was mentioned in Slack in #forums by sabernhardt. View the logs.


4 months ago

Note: See TracTickets for help on using tickets.