[wp-trac] [WordPress Trac] #39206: Replace `is_super_admin()` with `current_user_can( 'manage_options' )` in wp-admin/network.php
WordPress Trac
noreply at wordpress.org
Tue Jan 24 10:25:29 UTC 2017
#39206: Replace `is_super_admin()` with `current_user_can( 'manage_options' )` in
wp-admin/network.php
-------------------------------------------------+------------------------
Reporter: ashokkumar24 | Owner: flixos90
Type: enhancement | Status: reviewing
Priority: normal | Milestone: 4.8
Component: Role/Capability | Version:
Severity: normal | Resolution:
Keywords: has-patch 2nd-opinion needs-refresh | Focuses: multisite
-------------------------------------------------+------------------------
Changes (by flixos90):
* keywords: has-patch => has-patch 2nd-opinion needs-refresh
Comment:
I noticed that we might need to rethink our actions here. With the current
patch, the capability required is always `manage_options`. That means when
a user on an already-setup multisite tries to access `wp-
admin/network/setup.php`, they can do so even if they are not a network
administrator. So we need to change the check the following way:
* If a multisite, the user must have `manage_network`.
* If not a multisite, the user must have `manage_options`.
There's a small room for discussion on how we implement this. I see two
possible ways:
* Just make the clause a little more complex (as in `is_multisite() && !
current_user_can( 'manage_network' ) || ! is_multisite() && !
current_user_can( 'manage_options' )`).
* Introduce a meta capability `setup_network` and handle the above check
in `map_meta_cap()`.
I think the latter approach would be cleaner. Just as a reminder, we would
need to add the new meta capability to the unit tests as well.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39206#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list