Multisite: Currently all users can purge varnish

Ipstenu / varnish-http-purge

Proxy Cache Purge

Apache License 2.0

46 stars 47 forks source link

Multisite: Currently all users can purge varnish #27

Closed phh closed 7 years ago

phh commented 7 years ago

This check:

// Multisite - Site admins can purge UNLESS it's a subfolder install and we're on site #1
is_multisite() && !current_user_can('manage_network')

Is checking if its a multisite installation and the current user does not have the manage_network capability - meaning pretty much all users meaning that contributors are able to make purges. I think the check should be something like:

current_user_can('manage_options') ?

Ipstenu commented 7 years ago

Huh... Actually that should be a check for if someone's an admin. So a super admin can ALWAYS flush per line #98

( is_multisite() && current_user_can('activate_plugins') && ( SUBDOMAIN_INSTALL || ( !SUBDOMAIN_INSTALL && ( BLOG_ID_CURRENT_SITE != $blog_id ) ) ) )

That would be a better check. If it's multisite and they can activate plugins (i.e. be admin per site) and they're either on a subdomain or not site 1... I'll fix it that way in 4.0.1! Thank you!