Opened 3 years ago
Last modified 3 years ago
#53694 new defect (bug)
Multisite: Capability check isn't strict enough when hard deleting a site
| Reported by: |
henry.wright
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Networks and Sites | Keywords: | has-patch needs-testing |
| Focuses: | multisite | Cc: |
Description
If the second argument passed to wpmu_delete_blog() is true, then a site can be hard deleted. By hard deleted I mean the site's database table will be dropped.
My understanding is, the delete_sites capability is granted to super administrators only. delete_sites will let the super administrator hard delete a site. Administrators don't have this capability. Instead, administrators have the delete_site capability.
In wp-admin/network/sites.php, wpmu_delete_blog() is called with true as the second argument. The capability check in this case is delete_site. Should this be delete_sites?
Attachments (1)
Change History (3)
Note: See
TracTickets for help on using
tickets.
53694.diff fixes the capability check before hard deleting a site in the network.