[wp-trac] [WordPress Trac] #12109: map_meta_cap doesnt work for multisite superadmins

WordPress Trac wp-trac at lists.automattic.com
Thu Apr 8 04:08:15 UTC 2010 

#12109: map_meta_cap doesnt work for multisite superadmins
------------------------------------+---------------------------------------
 Reporter:  dd32                    |        Owner:          
     Type:  defect (bug)            |       Status:  reopened
 Priority:  normal                  |    Milestone:  3.0     
Component:  Role/Capability         |      Version:          
 Severity:  normal                  |   Resolution:          
 Keywords:  multisite dev-feedback  |  
------------------------------------+---------------------------------------

Comment(by nacin):

 Whenever these functions are used in core, they need to be paired with
 proper capability checks, and they are.

 Here are various functions that do not have any capability checks:
 wp_delete_post(), wp_delete_user(), wp_revoke_user(), wp_insert_user(),
 not to mention the entire capabilities API.

 Not providing a full API is a huge problem, and it rears its head all too
 often. It happens in MU code all over the place. It stifles innovation and
 it prevents us from making changes in the future without breaking every
 plugin that had to go it alone previously.

 If we decide to change the storage schema, or offer an alternative such as
 #12815, anyone not using the API will have their code broken. In many
 cases, we are providing an API so we can detach plugins from the schema
 underneath, enabling it to evolve and be flexible.

 Any plugin can run update_site_option(), any plugin can modify the DB
 value, any plugin can attach hooks to the _site_option() API, and any
 plugin should be able to avoid all of those and use an abstracted API
 without penalty.

 It boils down to this: Plugins and themes can do anything. They're just
 going to avoid the API when we pretend they can't or when we attempt to
 restrict them.

 I am reverting [14011] and adding in transaction actions.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/12109#comment:14>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list