delete_plugins WordPress user capability

delete_plugin WordPress user capability

Delete plugin

delete_plugins WordPress user capability allows user to delete not active plugins. Such user has to have access to the “Plugins” menu at WordPress administrator back-end (requires activate_plugins capability for that). In order to delete plugin user can use plugin row link, which is shown under each plugin name, or bulk action, applied to the selected set of plugins simultaneously.
delete_plugins capability is used inside these WordPress core files:
wp-admin/plugins.php;
wp-admin/includes/class-wp-plugins-list-table.php;
wp-admin/includes/schema.php;
wp-includes/capabilities.php;
Proceed reading if you wish to look inside WordPress core code and get more details.

wp-admin/plugins.php

This a real place where delete_plugins user capability is used directly for its purpose. If you select action to delete plugin but have not such capability, you can not realize that.

188
189
190
 case 'delete-selected':
	if ( ! current_user_can('delete_plugins') )
		wp_die(__('You do not have sufficient permissions to delete plugins for this site.'));

wp-admin/includes/class-wp-plugins-list-table.php

single_row() method of WP_Plugins_List_Table class checks this capability to show/hide ‘Delete’ link under every plugin row in the plugins list table (“Plugins” menu).

366
367
 if ( current_user_can( 'delete_plugins' ) && ! is_plugin_active( $plugin_file ) )
	$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';
366
367
 if ( ! is_multisite() && current_user_can('delete_plugins') )
	$actions['delete'] = '<a href="' . wp_nonce_url('plugins.php?action=delete-selected&amp;checked[]=' . $plugin_file . '&amp;plugin_status=' . $context . '&amp;paged=' . $page . '&amp;s=' . $s, 'bulk-plugins') . '" title="' . esc_attr__('Delete this plugin') . '" class="delete">' . __('Delete') . '</a>';

get_bulk_actions() method of WP_Plugins_List_Table class checks here if user has delete_plugins capability and make decision to show/hide in the bulk actions menu above plugins list (“Plugins” menu) the “Delete” item. This menu item is shown if there is no active plugin between selected for deletion.

261
262
	if ( current_user_can( 'delete_plugins' ) && ( 'active' != $status ) )
		$actions['delete-selected'] = __( 'Delete' );

wp-admin/includes/schema.php

This file tells us that delete_plugins capability was added to WordPress since version 2.6.

728
729
730
731
732
733
734
735
736
737
738
739
740
/**
 * Create and modify WordPress roles for WordPress 2.6.
 *
 * @since 2.6.0
 */
function populate_roles_260() {
	$role =& get_role( 'administrator' );
 
	if ( !empty( $role ) ) {
		$role->add_cap( 'update_plugins' );
		$role->add_cap( 'delete_plugins' );
	}
}

wp-includes/capabilities.php

delete_plugins user capability is met once in this file inside map_meta_cap() function:

1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
 case 'delete_plugins':
 case 'install_plugins':
 case 'update_themes':
 case 'delete_themes':
 case 'install_themes':
 case 'update_core':
	// Disallow anything that creates, deletes, or edits core, plugin, or theme files.
	// Files in uploads are excepted.
	if ( defined('DISALLOW_FILE_MODS') && DISALLOW_FILE_MODS ) {
		$caps[] = 'do_not_allow';
		break;
	}
	// Fall through if not DISALLOW_FILE_MODS.

This piece of code discovers for us that WordPress allows to implement additional security features defining some specially named PHP constants, e.g. DISSALLOW_FILE_MODS, which will block any operation that creates, deletes, or edits core, plugin, or theme files except file uploads.

Tags: , ,