[wp-trac] [WordPress Trac] #14454: function map_meta_cap does not use the user ID when checking super admin

WordPress Trac wp-trac at lists.automattic.com
Thu Jul 29 10:01:08 UTC 2010 

#14454: function map_meta_cap does not use the user ID when checking super admin
--------------------------+-------------------------------------------------
 Reporter:  dlo           |       Owner:                              
     Type:  defect (bug)  |      Status:  new                         
 Priority:  normal        |   Milestone:  Awaiting Review             
Component:  General       |     Version:  3.0                         
 Severity:  critical      |    Keywords:  capability check super admin
--------------------------+-------------------------------------------------
 The function map_meta_cap in capabilities.php is checking for super admins
 in various places like:

 {{{
 case 'edit_users':
                 // If multisite these caps are allowed only for super
 admins.
                 if ( is_multisite() && !is_super_admin() )
                         $caps[] = 'do_not_allow';
                 else
                         $caps[] = 'edit_users'; // Explicit due to
 primitive fall through
                 break;
 }}}

 or

 {{{
 case 'delete_user':
         case 'delete_users':
                 // If multisite these caps are allowed only for super
 admins.
                 if ( is_multisite() && !is_super_admin() )
                         $caps[] = 'do_not_allow';
                 else
                         $caps[] = $cap;
                 break;
 }}}

 In both cases, the function is_super_admin is used without any parameter.
 That leads to check if the currently connected user is a super admin and
 not the user passed to the function map_meta_cap.

 In my opinion, this is a bug and the correct code should be:
 {{{
 case 'edit_users':
                 // If multisite these caps are allowed only for super
 admins.
                 if ( is_multisite() && !is_super_admin($user_id) )
                         $caps[] = 'do_not_allow';
                 else
                         $caps[] = 'edit_users'; // Explicit due to
 primitive fall through
                 break;
 }}}

 and

 {{{
 case 'delete_user':
         case 'delete_users':
                 // If multisite these caps are allowed only for super
 admins.
                 if ( is_multisite() && !is_super_admin($user_id) )
                         $caps[] = 'do_not_allow';
                 else
                         $caps[] = $cap;
                 break;
 }}}

 I am right ?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/14454>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list