unfiltered_html

977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995

		// Fall through if not DISALLOW_FILE_MODS.
	case 'unfiltered_html':
		// Disallow unfiltered_html for all users, even admins and super admins.
		if ( defined('DISALLOW_UNFILTERED_HTML') && DISALLOW_UNFILTERED_HTML ) {
			$caps[] = 'do_not_allow';
			break;
		}
		// Fall through if not DISALLOW_UNFILTERED_HTML
	case 'delete_user':
	case 'delete_users':
		// If multisite these caps are allowed only for super admins.
		if ( is_multisite() && !is_super_admin( $user_id ) ) {
			$caps[] = 'do_not_allow';
		} else {
			if ( 'delete_user' == $cap )
				$cap = 'delete_users';
			$caps[] = $cap;
		}
		break;

Thus, function map_meta_cap() at the capabilities.php always returns ‘do_not_allow’ for the ‘unfiltered_html’ if you are not the superadmin in the multi-site environment.
This way WordPress developers decided to prohibit “unfiltered_html” globally and allow that for the superadmin user only in the multi-site environment.
So we can consider this capability as deprecated for the WordPress multi-site.
In most cases you trust to your editors. Why not allow to your editors to use arbitrary HTML tags in the posts?
The direct step – just remove kses filters for the user with ‘Editor’ role, inserting call of
kses_remove_filters();
function from kses.php file into site theme functions.php file, doesn’t give the desired result. As I see WordPress calls kses_init() function in the different places and not one time, and probably override my kses filters remove try :). I did not make more deep research yet.
May be you found some applicable workaround for that? Share please your experience with others.

Tags: capability, Security, User Role, WordPress

This entry was posted on Saturday, February 19th, 2011 at 03:44 and is filed under Security, WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.