[resolved] Should super admin have capabilities that don't exist? (13 posts)

  1. mybadstudios
    Posted 1 year ago #

    I am writing a plugin and keep running into the problem that my menu pages always appear in my dashboard, even when I require capabilities that don't exist...

    So I tried printing out the values of allcaps and decided afterwards to try and be funny by doing this:

    echo (current_user_can("play_chopsticks") ? "yes" : "no");

    True enough, the result is "yes" !!!
    I added this during plugin activation:

    $role = get_role( 'administrator' );
        $role->add_cap( 'manage_wuss' );

    Yet when I do any of these, the menus appear in the dashboard:

    add_menu_page("MyHead", "WUSS", manage_wuss, "wuss_settings", show_wuss_config);
    add_menu_page("MyHead", "WUSS", manage_wussies, "wuss_settings", show_wuss_config);
    add_menu_page("MyHead", "WUSS", manage_whisky, "wuss_settings", show_wuss_config);
    add_menu_page("MyHead", "WUSS", shuold_manage, "wuss_settings", show_wuss_config);

    Is this normal behaviour for super admin accounts? I am beginning to think something is seriously wrong because I was trying to load my settings page using include_once('settings.php') and true enough it works just fine on the site dashboard but in the netword dashboard I get an error about calling (I forget the exact function now but) something of WordPress that checks the user's capabilities but when I rename the file from settings.php to anything else, then it loads just fine in the site dashboard and the network dashboard... but now I am running into this issue where absolutely anything I pass to current_user_can() returns true...

    Are these two issue related? Is this normal for Super Admin roles? Is my site totally messed up? Does anyone have any ideas?

  2. You mean is it normal for Super Admins to do anything? Yes. What happens when you use this on a single install of WP?

    echo (current_user_can("play_chopsticks") ? "yes" : "no");

  3. mybadstudios
    Posted 1 year ago #

    I don't actually HAVE a single install of WP so not sure but when I log in as a normal user, it works as expected and doesn't allow me to see the page.

    As I understand it, a super admin had the ability to manage every single last thing on the website and that is what makes him 'super'... the thing that I was asking is wether the super admin is supposed to be have a capability that doesn't exist...

    If there IS no 'play_chopsticks' capability, shouldn't current_user_can report false for EVERYONE including the super admin? Or is this a security feature to make sure the super admin is not locked out of anything, ever?

    Both answers would make perfect sense but in this instance it makes it hard for me to debug my code while logged in as super admin. I really don't want to have to log in and out of accounts every couple of minutes...

  4. Make a test site locally then?

    I'm asking because I wonder if it's a flaw in your code for ALL WordPress or just Multisite.

  5. mybadstudios
    Posted 1 year ago #

    I'm honestly not sure what to do... I am already runing a multisite locally as that is where I test my code on. I have no idea how to configure apache to allow me to run a single site and a multisite on the same system... sure it can be done, I just don't know how.

    But even if I did that, that is not going to be prove much since when I did this I just started the project and the options page was the first thing I did. There was nothing else to the kit except the options page and even that still didn't have anything in it... I was still at the "Register the page" phase when I forgot what the capability was so I guessed it and it worked. Later on I noticed I did spell it wrong and fixed it and it worked still...

    So basically you are asking me to create a new site and create a new script and in that script just write this single line and see if that works???

    add_menu_page("Stuff", "WUSS", manage_wuss, "wuss_settings", show_wuss_config,'dashicons-smiley');

    I think I can safely say that line will work :P All WordPress users the world over will agree with me that it works :P But you did give me a good idea, though. I am going to start again (this kit has undergone a LOT of work since I made this post) and create a new plugin that does nothing but show a empty menu then upload it to my actual online multisite also and test it there.

    I have always been under the impression that identical setups on different machines will run the same but this is a good enough way to verify there is nothing wrong on my local install.


    p.s. Probably should have done hat before posting ;)

  6. mybadstudios
    Posted 1 year ago #

    Okay... Just started from scratch and created a new plugin. Here is the ENTIRE plugin...

    Plugin Name: Plugin Test
    Plugin URI: http://wuss.mybadstudios.com/
    Description: Nothing yet
    Version: 1.0
    Network: true
    Author: myBad Studios
    Author URI: http://www.mybadstudios.com
    function activate_wussy()
        $role = get_role( 'administrator' );
        $role->add_cap( 'random_cap' );
    function deactivate_wussy(){
        $role = get_role( 'administrator' );
        $role->remove_cap( 'random_cap' );
    register_activation_hook( __FILE__,	'activate_wussy'	);
    register_deactivation_hook( __FILE__,	'deactivate_wussy'	);

    and then mysettings.php is this:

    function register_test_menu()
    	add_menu_page("Test", "TEST", 'do_random_stuff', "test-settings", show_test_config, 'dashicons-smiley');
    add_action( 'admin_menu', 'register_test_menu' );
    function show_test_config()
    	if ( current_user_can('manage_non_existent_stuff') ) echo "Yes he can";
    	if ( current_user_can(manage_other_non_existent_stuff) ) echo "Yes he can do this also";

    The result is a window that shows:

    Yes he canYes he can do this also
  7. mybadstudios
    Posted 1 year ago #

    Okay... Uploaded this to a single site and the menu item does NOT show up for Admins

    Uploaded it to my multisite and the menu appears for the super admin only

    Since this is happening on two sites I guess it is safe to assume the answer to my question is "Yes, it is normal behaviour"

    I would greatly appreciate it if someone with a multisite would try that above kit and just verify it on your end also...

  8. Wait, you're adding to $role = get_role( 'administrator' );

    Of course that gets picked up by the Super Admin. They're Administrator PLUS.

  9. mybadstudios
    Posted 1 year ago #

    Clearly you are not paying attention...

    Please look at that code again.

    I am telling you that IronMan swings from his web and clings to walls and you are saying 'But of cours,stupid! It's IronMan. He is strong enough to cling to buildings"

    Please pay attention or stop wasting my time with useless comments.

    Look at the NAMES of the capabilities! The NAMES! The whole point of the question and the thing I've asked this whole time! This post is about the NAMES if the capabailites! The NAMES! And just in case you didn't get it, yet, the N.A.M.E.S! Got that? The names! Thise things that are rather important but you seem to think don't matter.

    Notice the NAME of the capability I give the admin. Now pay attention to the NAME of the capability I test against! Can you spot the difference in spelling between the three words that don't look anything at all alike? Or do you still think that Superman should turn green and and attack the nazis with his shield while sitting comfortably inside his invisible plane created by the ring on his finger?

    Please pay attention to what is going on or do not reply to my sincere request for assistance if you cannot do that.


  10. You know... When people volunteer to help you, out of the kindness of their hearts, there's no point in you getting that shirty over it.

    Also the Super Admin role allows a user to perform all possible capabilities. Which is why I asked you early on if you could test it on a single site, which is not that hard to figure out how to install, provided one can read and follow directions.

    You mean is it normal for Super Admins to do anything? Yes.

    Literally, everything.

  11. mybadstudios
    Posted 1 year ago #

    Yeah, I know, i got a bit over-emotional here asking the same thing over and over and getting replies that dance around the subject without actually answering the question, just forcing me to ask the same thing over and over again.

    As you can see, I DID i stall the kit on single jser and multisite and the fact that you still take me on making it sound like i am incapable of doing so just points once more to the fact that I am speaking to a wall.

    In any event, though, I am going to consider this issue sooved and say 'yes, the super admin can do things that are not supposed to run'. Even if the capability does not exit for anyone, even if the capability has never ever been defined by anyone anywhere in world, ever, in all of history, the super admin still has that capability. Cool, is all I wanted to know :)

    Sorry I lost my temper. Thanks for taking the time out of your day

  12. FWIW, the page about capabilities actually says that too, so y'know, read the whole thing :) It's fine. People get passionate about their work.

    I will note this. If you feel you're getting asked the SAME question, you may want to reconsider how you answered, since obviously I felt you weren't answering what I thought I was asking, which was why I tried to phrase it differently.

  13. mybadstudios
    Posted 1 year ago #

    I was just wondering "It does? How did I miss it?" So I had another look...

    I still can't see it. I can see it saying "super admin has all capabilities" but that is not what I was asking. I was not asking "is there any capability the super admin doesn't have" I was asking if the super admin should have capabilities that DON'T EXIST.

    I don"t see the note in the capabilites page that says: "super admins do, by default, have all capabilites AS WELL as any and all capabilities that don't exist". If I am missing it then I apologise for missing it each time and wasting anyone's time.

    Thing is, I am a rather clever boy, no escaping that... ;) ...but my memory has more holes than chicken mesh. I can create a capability now, open up the next tab and already I forgot the spelling I just used 10 seconds ago. If I don't copy past then I am working with luck... So when I guess a capability and see it working I am so super happy that I remembered the name and rhe soelling I chose... And then, one fateful day I see that even when I do it wrong, it still works... And I start wondrring "Why?" So I asked...

    One thing that I still can't figure out is why I can use stuff in quotes and without quotes and it still works. I am thus never sure when it is supposed to be in quotes and when not.

    To use a variable, you prefix it with $ so this is a variable
    And this is a value contained inside a variable
    I.e. $field = 'value';

    Simple... Fields and values make sense... But why is this both correct:

    According to me, the second one should cause an error...and yet it is fine... Now, the add_menu_page function... i use that with and without cause I am never sure which it is supposed to be or wether it makes a difference or not... So when I see it works, I'm happy...but when I realise I make clear and obvious mistakes and it still works... i get worried...

    So I asked...

Topic Closed

This topic has been closed to new replies.

About this Topic