Wow that is a TIL for me. Thanks for the heads up. I am going to change to activate_plugins instead
Actually no activate_plugins is not multisite safe! Would any of these work:
update_core
update_plugins
update_themes
install_plugins
install_themes
delete_themes
delete_plugins
edit_plugins
edit_themes
edit_files
edit_users
add_users
create_users
delete_users
unfiltered_html
Maybe delete_users would be more appropriate,or maybe check manage_options && unfiltered_html
DISALLOW_FILE_MODS will return false for all update_*, install_*, delete_*, and edit_* of core, themes, and plugins.
Why not create a check to see if WP_ALLOW_MULTISITE is true, then check update_plugins permission, and if not, check back the initial manage_options?
That is a good idea, is it a foolproof way? I am not sure what is the norm out there for permissions checks for MS and Single Site.
$permission = defined( 'WP_ALLOW_MULTISITE' ) && WP_ALLOW_MULTISITE ? 'update_plugins' : 'manage_options';
Having said that DISALLOW_FILE_MODS will also cause issues for MS as well.
$permission = is_multisite() ? 'update_plugins' : 'manage_options';
This will be good I guess. Or maybe if is_multisite true then check if is_super_admin().
Something like:
if (is_multisite() && !is_super_admin()) {
return; // does nothing
} else {
............
}
