WordPress multisite Super Admin: How this record with with so high permissions is defined? Are any user role or user capabilities used for that?
For the 1st glance, we have a quick answer. Yes, of course, just look at these user capabilities set: 'create_sites', 'manage_sites', 'manage_network', 'manage_network_options', 'manage_network_plugins', 'manage_network_themes', 'manage_network_users'. These capabilities definitely differentiate local administrator from the network one. And we will be right. If to add capabilities listed above to the local admin role, e.g. built-in ‘Administrator’ of the 1st, main site of the network, user with such role will get limited Super Admin privileges for the whole network. But it is not the full story.
If you open any user profile at the ‘Users’ menu under the ‘Network Admin’ you will find there the ‘Super Admin’ checkbox. With one click, turning it on you may grant to the user super admin privileges for the Network.
After that it does not matter what user role or capabilities that user has at the selected site. This user could have local administrator role without manage network capabilities:
With ‘Super Admin’ right this user could have no rights for this site at all
In both cases this user will have super admin privileges on any site of the network and full access to the Network Admin center. Why is it possible?
WordPress introduced for the Super Admin user the separate permissions model or level. By words: if user was included into the list of Super Admin users – he has full access to the whole network. Let’s see it through PHP code now.
WordPress multisite Super Admin at PHP level
In terms of WordPress core PHP code the answer will be a little longer, but it will be the same – WordPress checks Super Admin privileges without look on the user roles or user capabilities.
For example, look how WordPress checks need to show “Authors” dropdown menu at the post editor, file wp-admin/includes/class-wp-posts-list-table.php (WP 4.0):
if ( is_super_admin() || current_user_can( $post_type_object->cap->edit_others_posts ) ) :
There are a lot of other examples of use is_super_admin() function, including the core map_meta_cap() function used to define if user has or not has required user capability, like this at wp-includes/capabilities.php (WP 4.0):
elseif ( is_multisite() && ! is_super_admin( $user_id ) )
$caps[] = 'do_not_allow';
Let’s see how is_super_admin() function checks if user has Super Admin privilege or not. The same file:
/**
* Determine if user is a site admin.
*
* @since 3.0.0
*
* @param int $user_id (Optional) The ID of a user. Defaults to the current user.
* @return bool True if the user is a site admin.
*/
function is_super_admin( $user_id = false ) {
if ( ! $user_id || $user_id == get_current_user_id() )
$user = wp_get_current_user();
else
$user = get_userdata( $user_id );
if ( ! $user || ! $user->exists() )
return false;
if ( is_multisite() ) {
$super_admins = get_super_admins();
if ( is_array( $super_admins ) && in_array( $user->user_login, $super_admins ) )
return true;
} else {
if ( $user->has_cap('delete_users') )
return true;
}
return false;
}
We see that for multisite configuration this function takes a list of super admins from a get_super_admins() function, which is quite simple (the same file):
/**
* Retrieve a list of super admins.
*
* @since 3.0.0
*
* @uses $super_admins Super admins global variable, if set.
*
* @return array List of super admin logins
*/
function get_super_admins() {
global $super_admins;
if ( isset($super_admins) )
return $super_admins;
else
return get_site_option( 'site_admins', array('admin') );
}
It just takes user logins array from WordPress sitemeta database table and even does not touch any roles or capabilities:
Conclusion
Even though user is defined as a Super Admin, the Super Admin power doesn’t give him specific rights on any site, only overall rights. That is why those rights are not allocated to the Super Admin user profile and you don’t see them at user capabilities page. “Super Admin” is beyond of user roles and capabilities (which are managed on per site basis). We may say that it is above them.
