[wp-trac] [WordPress Trac] #50260: Multisite - Getting actual user capabilities with get_role_caps() different with current_user_can()
WordPress Trac
noreply at wordpress.org
Wed May 27 08:33:02 UTC 2020
#50260: Multisite - Getting actual user capabilities with get_role_caps() different
with current_user_can()
-----------------------------+-----------------------------
Reporter: Mahesh901122 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: 5.4.1
Severity: normal | Keywords: dev-feedback
Focuses: |
-----------------------------+-----------------------------
If I check below user capabilities for **Administrator** then I get both
capabilities as `false`.
{{{
current_user_can( 'install_plugins' )
current_user_can( 'activate_plugins' )
}}}
But, If I check the same capabilities by login to the **Super
Administrator** then both return `true`.
The **administrator** user role has no such capabilities but, If we check
the current user capabilities with:
{{{
$current_user = wp_get_current_user();
print_r( $current_user->allcaps );
print_r( $current_user->get_role_caps() );
}}}
Then for the **administrator** user role, I get below a list of
capabilities:
{{{
// Array
// (
// [switch_themes] => 1
// [edit_themes] => 1
// [activate_plugins] => 1
// [edit_plugins] => 1
// [edit_users] => 1
// [edit_files] => 1
// [manage_options] => 1
// [moderate_comments] => 1
// [manage_categories] => 1
// [manage_links] => 1
// [upload_files] => 1
// [import] => 1
// [unfiltered_html] => 1
// [edit_posts] => 1
// [edit_others_posts] => 1
// [edit_published_posts] => 1
// [publish_posts] => 1
// [edit_pages] => 1
// [read] => 1
// [level_10] => 1
// [level_9] => 1
// [level_8] => 1
// [level_7] => 1
// [level_6] => 1
// [level_5] => 1
// [level_4] => 1
// [level_3] => 1
// [level_2] => 1
// [level_1] => 1
// [level_0] => 1
// [edit_others_pages] => 1
// [edit_published_pages] => 1
// [publish_pages] => 1
// [delete_pages] => 1
// [delete_others_pages] => 1
// [delete_published_pages] => 1
// [delete_posts] => 1
// [delete_others_posts] => 1
// [delete_published_posts] => 1
// [delete_private_posts] => 1
// [edit_private_posts] => 1
// [read_private_posts] => 1
// [delete_private_pages] => 1
// [edit_private_pages] => 1
// [read_private_pages] => 1
// [delete_users] => 1
// [create_users] => 1
// [unfiltered_upload] => 1
// [edit_dashboard] => 1
// [update_plugins] => 1
// [delete_plugins] => 1
// [install_plugins] => 1
// [update_themes] => 1
// [install_themes] => 1
// [update_core] => 1
// [list_users] => 1
// [remove_users] => 1
// [promote_users] => 1
// [edit_theme_options] => 1
// [delete_themes] => 1
// [export] => 1
// [restrict_content] => 1
// [list_roles] => 1
// [administrator] => 1
// )
}}}
Here we can see the Administrator user has the capability:
{{{
// [install_plugins] => 1
// [activate_plugins] => 1
}}}
But, When we check them with `current_user_can()` then both return false.
After debugging in dept I found that the `do_not_allow` is set for the
Non-super admin users for install_plugins capability.
{{{
case 'update_plugins':
case 'delete_plugins':
case 'install_plugins':
case 'upload_plugins':
case 'update_themes':
case 'delete_themes':
case 'install_themes':
case 'upload_themes':
case 'update_core':
...
} elseif ( is_multisite() && ! is_super_admin( $user_id ) ) {
$caps[] = 'do_not_allow';
....
break;
}}}
Same for the activate_plugins the capabilities are set as
`["activate_plugins","manage_network_plugins"]`
{{{
case 'activate_plugins':
case 'deactivate_plugins':
case 'activate_plugin':
case 'deactivate_plugin':
$caps[] = 'activate_plugins';
if ( is_multisite() ) {
// update_, install_, and delete_ are handled above with
is_super_admin().
$menu_perms = get_site_option( 'menu_items', array() );
if ( empty( $menu_perms['plugins'] ) ) {
$caps[] = 'manage_network_plugins';
}
}
break;
}}}
So, Ideally only those capabilities need to return by
`$current_user->get_role_caps()`.
Those capabilities need to exclude from the list which current user cant
perform. E.g. `do_not_allow`.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50260>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list