Quick summary

On some Atomic sites, we've found that it is possible for a non-owner admin to delete the site owner using the bulk edit > delete option via wp-admin. We cannot consistently reproduce this across all sites or identify the common factors between those where this is possible.

It looks like there should be checks to prevent this for Atomic sites:

• p9F6qB-9M6-p2#comment-47988

We first saw this on a user's site where their client removed them from the site:

Interaction:8402901-zd-a8c
Blog ID: 232302801

@mgozdis was able to replicate this on only one test site, but not others. Blog ID: 209179564

Slack discussion: p1721317519408849-slack-C03TY6J1A

In the user example, this was particularly problematic as the site owner is an agency, and the admin who deleted them is their client.

Steps to reproduce

1. Add a second admin to a site.
2. Open the user management options in wp-admin.
3. Select the admin and choose 'remove' or 'delete' from the bulk edit options.
4. Delete the user by applying the bulk edit option.

What you expected to happen

On other sites we tested, there were two differences:

1. The bulk edit option was 'remove' not delete.
2. When attempting to remove the owner, the option to remove them prevented this from happening:
   

What actually happened

The bulk edit option showed 'delete'. It was possible to delete the admin owner using this option.

If another Jetpack connected admin was present on the site, we were prompted to reassign the connection.

Impact

Some (< 50%)

Available workarounds?

No but the platform is still usable

Platform (Simple and/or Atomic)

No response

Logs or notes

No response