[wp-trac] [WordPress Trac] #50260: Multisite - Getting actual user capabilities with get_role_caps() different with current_user_can()

WordPress Trac noreply at wordpress.org
Wed May 27 08:33:02 UTC 2020 

#50260: Multisite - Getting actual user capabilities with get_role_caps() different
with current_user_can()
-----------------------------+-----------------------------
 Reporter:  Mahesh901122     |      Owner:  (none)
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Role/Capability  |    Version:  5.4.1
 Severity:  normal           |   Keywords:  dev-feedback
  Focuses:                   |
-----------------------------+-----------------------------
 If I check below user capabilities for **Administrator** then I get both
 capabilities as `false`.


 {{{
 current_user_can( 'install_plugins' )
 current_user_can( 'activate_plugins' )
 }}}

 But, If I check the same capabilities by login to the **Super
 Administrator** then both return `true`.

 The **administrator** user role has no such capabilities but, If we check
 the current user capabilities with:

 {{{
 $current_user = wp_get_current_user();
 print_r( $current_user->allcaps );
 print_r( $current_user->get_role_caps() );
 }}}

 Then for the **administrator** user role, I get below a list of
 capabilities:
 {{{
 // Array
 // (
 //     [switch_themes] => 1
 //     [edit_themes] => 1
 //     [activate_plugins] => 1
 //     [edit_plugins] => 1
 //     [edit_users] => 1
 //     [edit_files] => 1
 //     [manage_options] => 1
 //     [moderate_comments] => 1
 //     [manage_categories] => 1
 //     [manage_links] => 1
 //     [upload_files] => 1
 //     [import] => 1
 //     [unfiltered_html] => 1
 //     [edit_posts] => 1
 //     [edit_others_posts] => 1
 //     [edit_published_posts] => 1
 //     [publish_posts] => 1
 //     [edit_pages] => 1
 //     [read] => 1
 //     [level_10] => 1
 //     [level_9] => 1
 //     [level_8] => 1
 //     [level_7] => 1
 //     [level_6] => 1
 //     [level_5] => 1
 //     [level_4] => 1
 //     [level_3] => 1
 //     [level_2] => 1
 //     [level_1] => 1
 //     [level_0] => 1
 //     [edit_others_pages] => 1
 //     [edit_published_pages] => 1
 //     [publish_pages] => 1
 //     [delete_pages] => 1
 //     [delete_others_pages] => 1
 //     [delete_published_pages] => 1
 //     [delete_posts] => 1
 //     [delete_others_posts] => 1
 //     [delete_published_posts] => 1
 //     [delete_private_posts] => 1
 //     [edit_private_posts] => 1
 //     [read_private_posts] => 1
 //     [delete_private_pages] => 1
 //     [edit_private_pages] => 1
 //     [read_private_pages] => 1
 //     [delete_users] => 1
 //     [create_users] => 1
 //     [unfiltered_upload] => 1
 //     [edit_dashboard] => 1
 //     [update_plugins] => 1
 //     [delete_plugins] => 1
 //     [install_plugins] => 1
 //     [update_themes] => 1
 //     [install_themes] => 1
 //     [update_core] => 1
 //     [list_users] => 1
 //     [remove_users] => 1
 //     [promote_users] => 1
 //     [edit_theme_options] => 1
 //     [delete_themes] => 1
 //     [export] => 1
 //     [restrict_content] => 1
 //     [list_roles] => 1
 //     [administrator] => 1
 // )
 }}}

 Here we can see the Administrator user has the capability:

 {{{
 //     [install_plugins] => 1
 //     [activate_plugins] => 1
 }}}


 But, When we check them with `current_user_can()` then both return false.

 After debugging in dept I found that the `do_not_allow` is set for the
 Non-super admin users for install_plugins capability.

 {{{
 case 'update_plugins':
 case 'delete_plugins':
 case 'install_plugins':
 case 'upload_plugins':
 case 'update_themes':
 case 'delete_themes':
 case 'install_themes':
 case 'upload_themes':
 case 'update_core':
         ...
         } elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
                 $caps[] = 'do_not_allow';
         ....
         break;
 }}}

 Same for the activate_plugins the capabilities are set as
 `["activate_plugins","manage_network_plugins"]`

 {{{
 case 'activate_plugins':
 case 'deactivate_plugins':
 case 'activate_plugin':
 case 'deactivate_plugin':
         $caps[] = 'activate_plugins';
         if ( is_multisite() ) {
                 // update_, install_, and delete_ are handled above with
 is_super_admin().
                 $menu_perms = get_site_option( 'menu_items', array() );
                 if ( empty( $menu_perms['plugins'] ) ) {
                         $caps[] = 'manage_network_plugins';
                 }
         }
         break;
 }}}

 So, Ideally only those capabilities need to return by
 `$current_user->get_role_caps()`.

 Those capabilities need to exclude from the list which current user cant
 perform. E.g.  `do_not_allow`.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/50260>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list