[wp-trac] [WordPress Trac] #53694: Multisite: Capability check isn't strict enough when hard deleting a site
WordPress Trac
noreply at wordpress.org
Mon Jul 19 19:52:29 UTC 2021
#53694: Multisite: Capability check isn't strict enough when hard deleting a site
--------------------------------+-----------------------------
Reporter: henry.wright | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Networks and Sites | Version:
Severity: normal | Keywords:
Focuses: multisite |
--------------------------------+-----------------------------
If the second argument passed to {{{wpmu_delete_blog()}}} is {{{true}}},
then a site can be hard deleted. By hard deleted I mean the site's
database table will be dropped.
My understanding is, the {{{delete_sites}}} capability is granted to super
administrators only. {{{delete_sites}}} will let the super administrator
hard delete a site. Administrators don't have this capability. Instead,
administrators have the {{{delete_site}}} capability.
In wp-admin/network/sites.php, {{{wpmu_delete_blog()}}} is called with
{{{true}}} as the second argument. The capability check in this case is
{{{delete_site}}}. Should this be {{{delete_sites}}}?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53694>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list