Networks and Sites: remove email address check when attempting to demote a Super Admin.

This change ensures that a capable Super Admin is allowed to manage global Users as intended, and removes an invisible & undocumented restriction (that was easily bypassed anyways).

It also adds 1 multisite unit test to confirm the intended behavior

Props flixos90, johnjamesjacoby, Mista-Flo.

Fixes #39170.



git-svn-id: https://develop.svn.wordpress.org/trunk@60977 602fd350-edb4-49c9-b593-d223f7449a82

Author: JJJ

src/wp-admin/user-edit.php

@@ -471,15 +471,11 @@
 						</tr>
 					<?php endif; // End if ! IS_PROFILE_PAGE. ?>
 
-					<?php if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && current_user_can( 'manage_network_options' ) && ! isset( $super_admins ) ) : ?>
+					<?php if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && ! isset( $super_admins ) ) : ?>
 						<tr class="user-super-admin-wrap">
 							<th><?php _e( 'Super Admin' ); ?></th>
 							<td>
-								<?php if ( 0 !== strcasecmp( $profile_user->user_email, get_site_option( 'admin_email' ) ) || ! is_super_admin( $profile_user->ID ) ) : ?>
-									<p><label><input type="checkbox" id="super_admin" name="super_admin"<?php checked( is_super_admin( $profile_user->ID ) ); ?> /> <?php _e( 'Grant this user super admin privileges for the Network.' ); ?></label></p>
-								<?php else : ?>
-									<p><?php _e( 'Super admin privileges cannot be removed because this user has the network admin email.' ); ?></p>
-								<?php endif; ?>
+								<p><label><input type="checkbox" id="super_admin" name="super_admin"<?php checked( is_super_admin( $profile_user->ID ) ); ?> /> <?php _e( 'Grant this user super admin privileges for the Network.' ); ?></label></p>
 							</td>
 						</tr>
 					<?php endif; ?>

src/wp-includes/capabilities.php

@@ -1252,6 +1252,7 @@ function grant_super_admin( $user_id ) {
  * Revokes Super Admin privileges.
  *
  * @since 3.0.0
+ * @since 6.9.0 Super admin privileges can be revoked regardless of email address.
  *
  * @global array $super_admins
  *
@@ -1278,7 +1279,7 @@ function revoke_super_admin( $user_id ) {
 	$super_admins = get_site_option( 'site_admins', array( 'admin' ) );
 
 	$user = get_userdata( $user_id );
-	if ( $user && 0 !== strcasecmp( $user->user_email, get_site_option( 'admin_email' ) ) ) {
+	if ( $user ) {
 		$key = array_search( $user->user_login, $super_admins, true );
 		if ( false !== $key ) {
 			unset( $super_admins[ $key ] );

tests/phpunit/tests/user/multisite.php

@@ -448,4 +448,36 @@ public function test_wp_roles_global_is_reset() {
 
 		$wp_roles->remove_role( $role );
 	}
+
+	/**
+	 * @ticket 39170
+	 */
+	public function test_revoke_super_admin_with_network_email() {
+		if ( isset( $GLOBALS['super_admins'] ) ) {
+			$old_global = $GLOBALS['super_admins'];
+			unset( $GLOBALS['super_admins'] );
+		}
+
+		$old_network_email = get_site_option( 'admin_email' );
+		$email_address     = '[email protected]';
+
+		$user_id = self::factory()->user->create(
+			array(
+				'user_email' => $email_address,
+			)
+		);
+
+		grant_super_admin( $user_id );
+		update_site_option( 'admin_email', $email_address );
+
+		$result = revoke_super_admin( $user_id );
+
+		update_site_option( 'admin_email', $old_network_email );
+
+		if ( isset( $old_global ) ) {
+			$GLOBALS['super_admins'] = $old_global;
+		}
+
+		$this->assertTrue( $result );
+	}
 }