Opened 4 months ago
Last modified 7 weeks ago
#53224 new defect (bug)
Super admin cannot set an application password on a site they're not a member of
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 5.9 | Priority: | normal |
Severity: | normal | Version: | 5.6 |
Component: | Application Passwords | Keywords: | has-patch has-unit-tests dev-feedback |
Focuses: | multisite | Cc: |
Description
Steps to reproduce:
- Log into a Multisite installation as a Super Admin
- Visit the admin area of a site you're not a member of
- Visit your profile editing screen on that site (
/wp-admin/profile.php
) - Try to add an application password
- Observe a mystery error message of "Invalid user ID"
This is due to this piece of logic which requires that the user is a member of the current site in order to set an application password.
To fix this, one of the following should be done:
- Skip this check for Super Admins and always allow them to add an application password
- Improve the error message and direct them to their network admin profile
Attachments (1)
Change History (8)
#1
@
4 months ago
- Keywords good-first-bug added
- Milestone changed from Awaiting Review to Future Release
This ticket was mentioned in PR #1538 on WordPress/wordpress-develop by johnbillion.
7 weeks ago
- Keywords has-unit-tests added
Trac ticket: https://core.trac.wordpress.org/ticket/53224
#5
@
7 weeks ago
- Keywords dev-feedback added; good-first-bug removed
The PR at https://github.com/WordPress/wordpress-develop/pull/1538 adds a test for this and switches to using a capability check instead of a direct check for is_super_admin()
. Just need somebody (eg. @georgestephanis) to confirm that the manage_sites
cap makes sense.
#6
@
7 weeks ago
georgestephanis commented on PR #1538:
Hrm. My MU-Fu is a bit on the weak side of late, I'm not sure if a global manage sites cap is best or -- is there maybe a manage_site( $site_id ) check, in case folks can manage one network but not another in the case of multi-network?
cc: @JJJ who I've always deferred to on this sort of thing for a hot take.
#7
@
7 weeks ago
johnbillion commented on PR #1538:
Unfortunately there's no further granularity to manage_sites
, see https://core.trac.wordpress.org/ticket/36940
Skipping the check for super admins makes sense to me!