Context Navigation

← Previous Changeset
Next Changeset →

Changeset 60977

Timestamp:

10/19/2025 05:40:13 PM (3 months ago)

Author:

johnjamesjacoby

Message:

Networks and Sites: remove email address check when attempting to demote a Super Admin.

This change ensures that a capable Super Admin is allowed to manage global Users as intended, and removes an invisible & undocumented restriction (that was easily bypassed anyways).

It also adds 1 multisite unit test to confirm the intended behavior

Props flixos90, johnjamesjacoby, Mista-Flo.

Fixes #39170.

Location:

trunk

Files:

: 3 edited

src/wp-admin/user-edit.php (modified) (1 diff)
src/wp-includes/capabilities.php (modified) (2 diffs)
tests/phpunit/tests/user/multisite.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/src/wp-admin/user-edit.php

-                      r60679
+                      r60977
                     <?php endif; // End if ! IS_PROFILE_PAGE. ?>
                     <?php if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && current_user_can( 'manage_network_options' ) && ! isset( $super_admins ) ) : ?>
+                    <?php if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && ! isset( $super_admins ) ) : ?>
                         <tr class="user-super-admin-wrap">
                             <th><?php _e( 'Super Admin' ); ?></th>
                             <td>
+                                <?php if ( 0 !== strcasecmp( $profile_user->user_email, get_site_option( 'admin_email' ) ) || ! is_super_admin( $profile_user->ID ) ) : ?>
+                                    <p><label><input type="checkbox" id="super_admin" name="super_admin"<?php checked( is_super_admin( $profile_user->ID ) ); ?> /> <?php _e( 'Grant this user super admin privileges for the Network.' ); ?></label></p>
+                                <?php else : ?>
+                                    <p><?php _e( 'Super admin privileges cannot be removed because this user has the network admin email.' ); ?></p>
+                                <?php endif; ?>
+                                <p><label><input type="checkbox" id="super_admin" name="super_admin"<?php checked( is_super_admin( $profile_user->ID ) ); ?> /> <?php _e( 'Grant this user super admin privileges for the Network.' ); ?></label></p>
                             </td>
                         </tr>

trunk/src/wp-includes/capabilities.php

-                      r60491
+                      r60977
+ *
  * @since 3.0.0
+ * @since 6.9.0 Super admin privileges can be revoked regardless of email address.
+ *
  * @global array $super_admins
 …
     $user = get_userdata( $user_id );
     if ( $user && 0 !== strcasecmp( $user->user_email, get_site_option( 'admin_email' ) ) ) {
+    if ( $user ) {
         $key = array_search( $user->user_login, $super_admins, true );
         if ( false !== $key ) {

trunk/tests/phpunit/tests/user/multisite.php

-                      r60915
+                      r60977
         $wp_roles->remove_role( $role );
+    }
+    /**
+     * @ticket 39170
+     */
+    public function test_revoke_super_admin_with_network_email() {
+        if ( isset( $GLOBALS['super_admins'] ) ) {
+            $old_global = $GLOBALS['super_admins'];
+            unset( $GLOBALS['super_admins'] );
+        }
+        $old_network_email = get_site_option( 'admin_email' );
+        $email_address     = 'superadmin333@example.org';
+        $user_id = self::factory()->user->create(
+            array(
+                'user_email' => $email_address,
+            )
+        );
+        grant_super_admin( $user_id );
+        update_site_option( 'admin_email', $email_address );
+        $result = revoke_super_admin( $user_id );
+        update_site_option( 'admin_email', $old_network_email );
+        if ( isset( $old_global ) ) {
+            $GLOBALS['super_admins'] = $old_global;
+        }
+        $this->assertTrue( $result );
+    }
+}

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core