Description
openedon Jul 24, 2024
Quick summary
On some Atomic sites, we've found that it is possible for a non-owner admin to delete the site owner using the bulk edit > delete option via wp-admin. We cannot consistently reproduce this across all sites or identify the common factors between those where this is possible.
It looks like there should be checks to prevent this for Atomic sites:
- p9F6qB-9M6-p2#comment-47988
We first saw this on a user's site where their client removed them from the site:
Interaction:8402901-zd-a8c
Blog ID: 232302801
@mgozdis was able to replicate this on only one test site, but not others. Blog ID: 209179564
Slack discussion: p1721317519408849-slack-C03TY6J1A
In the user example, this was particularly problematic as the site owner is an agency, and the admin who deleted them is their client.
Steps to reproduce
- Add a second admin to a site.
- Open the user management options in wp-admin.
- Select the admin and choose 'remove' or 'delete' from the bulk edit options.
- Delete the user by applying the bulk edit option.
What you expected to happen
On other sites we tested, there were two differences:
- The bulk edit option was 'remove' not delete.
- When attempting to remove the owner, the option to remove them prevented this from happening:
What actually happened
The bulk edit option showed 'delete'. It was possible to delete the admin owner using this option.
If another Jetpack connected admin was present on the site, we were prompted to reassign the connection.
Screen.Capture.on.2024-07-18.at.18-55-34.mp4
Impact
Some (< 50%)
Available workarounds?
No but the platform is still usable
Platform (Simple and/or Atomic)
No response
Logs or notes
No response
Metadata
Assignees
Labels
Type
Projects
Status
Triaged