Super admin cannot set an application password on a site they're not a member of

[johnbillion]

Steps to reproduce:

1. Log into a Multisite installation as a Super Admin
2. Visit the admin area of a site you're not a member of
3. Visit your profile editing screen on that site (/wp-admin/profile.php)
4. Try to add an application password
5. Observe a mystery error message of "Invalid user ID"

This is due to ​this piece of logic which requires that the user is a member of the current site in order to set an application password.

To fix this, one of the following should be done:

1. Skip this check for Super Admins and always allow them to add an application password
2. Improve the error message and direct them to their network admin profile

[TimothyBlynJacobs]

Skipping the check for super admins makes sense to me!

Trac ticket: https://core.trac.wordpress.org/ticket/53224

[johnbillion]

The PR at ​https://github.com/WordPress/wordpress-develop/pull/1538 adds a test for this and switches to using a capability check instead of a direct check for is_super_admin(). Just need somebody (eg. @georgestephanis) to confirm that the manage_sites cap makes sense.

[prbot]

​georgestephanis commented on ​PR #1538:

Hrm. My MU-Fu is a bit on the weak side of late, I'm not sure if a global manage sites cap is best or -- is there maybe a manage_site( $site_id ) check, in case folks can manage one network but not another in the case of multi-network?

cc: @JJJ who I've always deferred to on this sort of thing for a hot take.

[prbot]

​johnbillion commented on ​PR #1538:

Unfortunately there's no further granularity to manage_sites, see https://core.trac.wordpress.org/ticket/36940