[wp-trac] [WordPress Trac] #49287: Users with no page deletion capabilities can delete homepage in multisite
WordPress Trac
noreply at wordpress.org
Fri Jan 24 16:37:27 UTC 2020
#49287: Users with no page deletion capabilities can delete homepage in multisite
-----------------------------+-----------------------------
Reporter: robdxw | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version:
Severity: normal | Keywords:
Focuses: multisite |
-----------------------------+-----------------------------
To recreate:
- Set up a vanilla multisite. On one of the sites, set a static page as
the homepage. Create a second page for comparison purposes.
- Create a standard administrator user on that site. By default, they have
permission to delete both the pages referred to above (expected
behaviour).
- Add the following to the theme's `functions.php`:
{{{
add_action('init', function () {
$role = get_role('administrator');
$role->remove_cap('delete_pages');
$role->remove_cap('delete_others_pages');
$role->remove_cap('delete_published_pages');
});
}}}
The administrator role is now unable to delete pages EXCEPT the page that
is set as the homepage, which they are still able to trash.
It appears this bug exists in v4.7 onwards. In 4.6.1 I see the expected
behaviour: this code prevents an administrator from trashing any pages,
including the page set as the homepage.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49287>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list