WordPress multisite Super Admin privilege

WordPress multisite Super Admin: How this record with with so high permissions is defined? Are any user role or user capabilities used for that?
For the 1st glance, we have a quick answer. Yes, of course, just look at these user capabilities set: 'create_sites', 'manage_sites', 'manage_network', 'manage_network_options', 'manage_network_plugins', 'manage_network_themes', 'manage_network_users'. These capabilities definitely differentiate local administrator from the network one. And we will be right. If to add capabilities listed above to the local admin role, e.g. built-in ‘Administrator’ of the 1st, main site of the network, user with such role will get limited Super Admin privileges for the whole network. But it is not the full story.

If you open any user profile at the ‘Users’ menu under the ‘Network Admin’ you will find there the ‘Super Admin’ checkbox. With one click, turning it on you may grant to the user super admin privileges for the Network.

WordPress multisite Super Admin
WordPress multisite Super Admin

After that it does not matter what user role or capabilities that user has at the selected site. This user could have local administrator role without manage network capabilities:
WordPress multisite Super Admin user role and capabilities 1
WordPress multisite Super Admin user role and capabilities 1

With ‘Super Admin’ right this user could have no rights for this site at all
WordPress multisite Super Admin user role and capabilities 2
WordPress multisite Super Admin user role and capabilities 2

In both cases this user will have super admin privileges on any site of the network and full access to the Network Admin center. Why is it possible?

WordPress introduced for the Super Admin user the separate permissions model or level. By words: if user was included into the list of Super Admin users – he has full access to the whole network. Let’s see it through PHP code now.

WordPress multisite Super Admin at PHP level

In terms of WordPress core PHP code the answer will be a little longer, but it will be the same – WordPress checks Super Admin privileges without look on the user roles or user capabilities.

For example, look how WordPress checks need to show “Authors” dropdown menu at the post editor, file wp-admin/includes/class-wp-posts-list-table.php (WP 4.0):

972
if ( is_super_admin() || current_user_can( $post_type_object->cap->edit_others_posts ) ) :

There are a lot of other examples of use is_super_admin() function, including the core map_meta_cap() function used to define if user has or not has required user capability, like this at wp-includes/capabilities.php (WP 4.0):

1244
1245
	elseif ( is_multisite() && ! is_super_admin( $user_id ) )
		$caps[] = 'do_not_allow';

Let’s see how is_super_admin() function checks if user has Super Admin privilege or not. The same file:

1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
 /**
 * Determine if user is a site admin.
 *
 * @since 3.0.0
 *
 * @param int $user_id (Optional) The ID of a user. Defaults to the current user.
 * @return bool True if the user is a site admin.
 */
 function is_super_admin( $user_id = false ) {
	if ( ! $user_id || $user_id == get_current_user_id() )
		$user = wp_get_current_user();
	else
		$user = get_userdata( $user_id );
 
	if ( ! $user || ! $user->exists() )
		return false;
 
	if ( is_multisite() ) {
		$super_admins = get_super_admins();
		if ( is_array( $super_admins ) && in_array( $user->user_login, $super_admins ) )
			return true;
	} else {
		if ( $user->has_cap('delete_users') )
			return true;
	}
 
	return false;
 }

We see that for multisite configuration this function takes a list of super admins from a get_super_admins() function, which is quite simple (the same file):

1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
/**
 * Retrieve a list of super admins.
 *
 * @since 3.0.0
 *
 * @uses $super_admins Super admins global variable, if set.
 *
 * @return array List of super admin logins
 */
function get_super_admins() {
	global $super_admins;
 
	if ( isset($super_admins) )
		return $super_admins;
	else
		return get_site_option( 'site_admins', array('admin') );
}

It just takes user logins array from WordPress sitemeta database table and even does not touch any roles or capabilities:

WordPress multisite Super Admin list at wp_sitemeta database table
WordPress multisite Super Admin list at wp_sitemeta database table

Conclusion

Even though user is defined as a Super Admin, the Super Admin power doesn’t give him specific rights on any site, only overall rights. That is why those rights are not allocated to the Super Admin user profile and you don’t see them at user capabilities page. “Super Admin” is beyond of user roles and capabilities (which are managed on per site basis). We may say that it is above them.

Share