[wp-trac] [WordPress Trac] #53224: Super admin cannot set an application password on a site they're not a member of
WordPress Trac
noreply at wordpress.org
Tue May 18 10:23:27 UTC 2021
#53224: Super admin cannot set an application password on a site they're not a
member of
-----------------------------------+-----------------------------
Reporter: johnbillion | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 5.6
Severity: normal | Keywords: needs-patch
Focuses: multisite |
-----------------------------------+-----------------------------
Steps to reproduce:
1. Log into a Multisite installation as a Super Admin
2. Visit the admin area of a site you're not a member of
3. Visit your profile editing screen on that site (`/wp-
admin/profile.php`)
4. Try to add an application password
5. Observe a mystery error message of "Invalid user ID"
This is due to [https://github.com/johnbillion/wordpress-
develop/blob/953446d4d6e388b75b0f22005c9643c9811a3aca/src/wp-includes
/rest-api/endpoints/class-wp-rest-application-passwords-
controller.php#L710-L712 this piece of logic] which requires that the user
is a member of the current site in order to set an application password.
To fix this, one of the following should be done:
1. Skip this check for Super Admins and always allow them to add an
application password
2. Improve the error message and direct them to their network admin
profile
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53224>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list