delete_plugins
WordPress user capability allows user to delete not active plugins. Such user has to have access to the “Plugins” menu at WordPress administrator back-end (requires activate_plugins
capability for that). In order to delete plugin user can use plugin row link, which is shown under each plugin name, or bulk action, applied to the selected set of plugins simultaneously.delete_plugins
capability is used inside these WordPress core files:– wp-admin/plugins.php;
– wp-admin/includes/class-wp-plugins-list-table.php;
– wp-admin/includes/schema.php;
– wp-includes/capabilities.php;
Proceed reading if you wish to look inside WordPress core code and get more details.
wp-admin/plugins.php
This a real place where delete_plugins
user capability is used directly for its purpose. If you select action to delete plugin but have not such capability, you can not realize that.
188 189 190 | case 'delete-selected': if ( ! current_user_can('delete_plugins') ) wp_die(__('You do not have sufficient permissions to delete plugins for this site.')); |
wp-admin/includes/class-wp-plugins-list-table.php
single_row()
method of WP_Plugins_List_Table
class checks this capability to show/hide ‘Delete’ link under every plugin row in the plugins list table (“Plugins” menu).
366 367 | if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) ) $actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&checked[]=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>'; |
366 367 | if ( ! is_multisite() && current_user_can('delete_plugins') ) $actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&checked[]=' . $plugin_file . '&plugin_status=' . $context . '&paged=' . $page . '&s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>'; |
get_bulk_actions()
method of WP_Plugins_List_Table
class checks here if user has delete_plugins
capability and make decision to show/hide in the bulk actions menu above plugins list (“Plugins” menu) the “Delete” item. This menu item is shown if there is no active plugin between selected for deletion.
261 262 | if ( current_user_can( 'delete_plugins' ) && ( 'active' != $status ) ) $actions['delete-selected'] = __( 'Delete' ); |
wp-admin/includes/schema.php
This file tells us that delete_plugins
capability was added to WordPress since version 2.6.
728 729 730 731 732 733 734 735 736 737 738 739 740 | /** * Create and modify WordPress roles for WordPress 2.6. * * @since 2.6.0 */ function populate_roles_260() { $role =& get_role( 'administrator' ); if ( !empty( $role ) ) { $role->add_cap( 'update_plugins' ); $role->add_cap( 'delete_plugins' ); } } |
wp-includes/capabilities.php
delete_plugins
user capability is met once in this file inside map_meta_cap()
function:
1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 | case 'delete_plugins': case 'install_plugins': case 'update_themes': case 'delete_themes': case 'install_themes': case 'update_core': // Disallow anything that creates, deletes, or edits core, plugin, or theme files. // Files in uploads are excepted. if ( defined('DISALLOW_FILE_MODS') && DISALLOW_FILE_MODS ) { $caps[] = 'do_not_allow'; break; } // Fall through if not DISALLOW_FILE_MODS. |
This piece of code discovers for us that WordPress allows to implement additional security features defining some specially named PHP constants, e.g. DISSALLOW_FILE_MODS
, which will block any operation that creates, deletes, or edits core, plugin, or theme files except file uploads.
Tags: capability, Security, user capability