[wp-trac] [WordPress Trac] #53694: Multisite: Capability check isn't strict enough when hard deleting a site

WordPress Trac noreply at wordpress.org
Wed Aug 6 18:41:34 UTC 2025 

#53694: Multisite: Capability check isn't strict enough when hard deleting a site
--------------------------------+------------------------
 Reporter:  henry.wright        |       Owner:  (none)
     Type:  defect (bug)        |      Status:  closed
 Priority:  normal              |   Milestone:
Component:  Networks and Sites  |     Version:
 Severity:  normal              |  Resolution:  wontfix
 Keywords:  has-patch           |     Focuses:  multisite
--------------------------------+------------------------
Changes (by johnjamesjacoby):

 * keywords:  has-patch needs-testing => has-patch
 * status:  new => closed
 * resolution:   => wontfix
 * milestone:  Awaiting Review =>


Comment:

 > Should this be `delete_sites`?

 I think `delete_site` is OK.

 See [31673] for the introduction of `delete_site`. It was `manage_options`
 previously, and it still maps to it currently.

 > My understanding is, the `delete_sites` capability is granted to super
 administrators only

 Correct, grouped via `map_meta_cap()` with other super-admin caps such as
 `create_sites` and `manage_sites`.

 > Administrators don't have this capability. Instead, administrators have
 the `delete_site` capability.

 Correct again – `delete_site` is also a meta capability, currently like:

 {{{
 case 'delete_site':
         if ( is_multisite() ) {
                 $caps[] = 'manage_options';
         } else {
                 $caps[] = 'do_not_allow';
         }
         break;
 }}}

 > The capability check in this case is `delete_site`.

 It is somewhat confusing that almost all `delete_site` cap checks pass in
 a blog ID (similar to other singular capabilities like `delete_post`) even
 though it is not used by WordPress internally, but then `menu.php` is
 forced to use it without one from [31673] – but it is nice to pass in for
 plugins to use.

 (We could have the `delete_site` meta-cap default to
 `get_current_blog_id()`, but that would make it different from all of the
 other ID-based singular mapped caps that `_doing_it_wrong()` if no ID is
 passed.)

 ----

 Let's close this as wontfix, and we can maybe open a new issue later for
 the `delete_site` inconsistencies.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53694#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list