[wp-trac] [WordPress Trac] #16207: manage_network_plugins cap allows network activation, but can't see network active plugins

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 12 21:52:44 UTC 2011 

#16207: manage_network_plugins cap allows network activation, but can't see network
active plugins
-------------------------+-------------------------------------------------
 Reporter:  cgrymala     |      Owner:
     Type:  defect       |     Status:  new
  (bug)                  |  Milestone:  Awaiting Review
 Priority:  normal       |    Version:
Component:  Plugins      |   Keywords:  is_super_admin,
 Severity:  normal       |  manage_network_plugins,
                         |  validate_active_plugins, capabilities
-------------------------+-------------------------------------------------
 Within WordPress MultiSite, if the manage_network_plugins capability is
 added to a user role (or granted to a custom user role), that user is able
 to see a list of plugins available, and has the option and ability to
 "Network Activate" any plugin that's currently not activated; however,
 once that plugin is Network Active, the user can no longer see it in the
 list. The "Network Active" filter is available above the list of plugins,
 but clicking on it shows an empty list of plugins.

 This is most likely a result of the fact that is_super_admin() is used to
 determine whether or not to validate and/or show a network active plugin,
 but current_user_can( 'manage_network_plugins' ) is used to determine
 whether or not a user can Network Activate a plugin.

 I'm not sure if this behavior is intentional or not, but it is rather
 jarring to be able to network activate a plugin, then have it disappear
 completely from the visible list of plugins.

 My proposed solution would be to change the validate_active_plugins()
 function (currently found on line 728 of /wp-admin/includes/plugin.php in
 the trunk). The current code looks like:


 {{{
         if ( is_multisite() && is_super_admin() ) {
                         $network_plugins = (array) get_site_option(
 'active_sitewide_plugins', array() );
                         $plugins = array_merge( $plugins, array_keys(
 $network_plugins ) );
                 }
 }}}


 My proposed solution would be to change it to:

 {{{
         if ( is_multisite() && current_user_can( 'manage_network_plugins'
 ) ) {
                         $network_plugins = (array) get_site_option(
 'active_sitewide_plugins', array() );
                         $plugins = array_merge( $plugins, array_keys(
 $network_plugins ) );
                 }
 }}}

 From what I've been able to determine, that should allow users with the
 manage_network_plugins capability (even if they don't evaluate as
 is_super_admin) to view (and, in the trunk, at least, they would be
 allowed to deactivate) the Network Active plugins.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/16207>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list