Plugin Directory: Allow Featured/Beta plugin owners to manage the committers and allow all committers to toggle public preview.

dd32 · dd32 · commit 4c2eb62238d7 · 2026-03-16T03:53:45.000Z
This relaxes a security change introduced with #5654, so adding/removing committers of these plugins now also triggers the plugins team to be CC'd for review. Closes WordPress#561. Fixes #8206. git-svn-id: https://meta.svn.wordpress.org/sites/trunk@14718 74240141-8908-4e6f-9713-ba540dce6ec7
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-capabilities.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/class-capabilities.php
@@ -90,18 +90,18 @@ public static function map_meta_cap( $required_caps, $cap, $user_id, $context )
 		}
 
 		// If a plugin is in the Beta or Featured views, they're not able to self-manage certain things. Require reviewer.
+		$is_beta     = is_object_in_term( $post->ID, 'plugin_section', 'beta' );
+		$is_featured = is_object_in_term( $post->ID, 'plugin_section', 'featured' );
+
 		if (
+			( $is_beta || $is_featured ) &&
 			in_array(
 				$cap,
 				array(
 					'plugin_self_close',
 					'plugin_self_transfer',
-					'plugin_toggle_public_preview',
-					'plugin_add_committer',
-					'plugin_remove_committer',
 				)
-			) &&
-			is_object_in_term( $post->ID, 'plugin_section', array( 'beta', 'featured' ) )
+			)
 		) {
 			$required_caps[] = 'plugin_review';
 		}
@@ -111,6 +111,15 @@ public static function map_meta_cap( $required_caps, $cap, $user_id, $context )
 			$required_caps[] = 'do_not_allow';
 		}
 
+		// For featured/beta plugins, only the owner can manage committers.
+		if (
+			( $is_featured || $is_beta ) &&
+			$user_id != $post->post_author &&
+			in_array( $cap, array( 'plugin_add_committer', 'plugin_remove_committer' ) )
+		) {
+			$required_caps[] = 'plugin_review';
+		}
+
 		// Committers
 		$committers = Tools::get_plugin_committers( $post->post_name );
 		// If there are no committers, use the plugin author if the plugin is published.
diff --git a/wordpress.org/public_html/wp-content/plugins/plugin-directory/email/class-committer-added.php b/wordpress.org/public_html/wp-content/plugins/plugin-directory/email/class-committer-added.php
@@ -6,6 +6,18 @@
 class Committer_Added extends Base {
 	protected $required_args = [ 'committer' ];
 
+	public function __construct( $plugin, $users = [], $args = [] ) {
+		parent::__construct( $plugin, $users, $args );
+
+		// Notify the plugins team of committer changes on featured plugins as a safety-net.
+		if ( $this->plugin && is_object_in_term( $this->plugin->ID, 'plugin_section', array( 'featured', 'beta' ) ) ) {
+			$plugins_team = get_user_by( 'email', PLUGIN_TEAM_EMAIL );
+			if ( $plugins_team ) {
+				$this->users[] = $plugins_team;
+			}
+		}
+	}
+
 	function subject() {
 		return sprintf(
 			/* translators: 1: Plugin Name */
diff --git a/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/inc/template-tags.php b/wordpress.org/public_html/wp-content/themes/pub/wporg-plugins-2024/inc/template-tags.php
@@ -265,26 +265,45 @@ function the_unconfirmed_releases_notice() {
 function the_no_self_management_notice() {
 	$post = get_post();
 
-	// Check if they can access plugin management, but can't add committers.
-	// This means the plugin has limited self-management functionalities, for security.
+	$is_beta     = is_object_in_term( $post->ID, 'plugin_section', 'beta' );
+	$is_featured = is_object_in_term( $post->ID, 'plugin_section', 'featured' );
+
+	// Check if the plugin is in a section with limited self-management, and the user can manage it.
 	if (
-		(
-			current_user_can( 'plugin_admin_edit', $post ) &&
-			! current_user_can( 'plugin_add_committer', $post )
-		) || (
-			// Show the notice to plugin reviewers when it's limited. See class-capabilities.php.
-			is_object_in_term( $post->ID, 'plugin_section', array( 'beta', 'featured' ) ) &&
+		! ( $is_beta || $is_featured ) ||
+		! (
+			current_user_can( 'plugin_admin_edit', $post ) ||
 			current_user_can( 'plugin_review' )
 		)
 	) {
-		printf(
-			'<div class="plugin-notice notice notice-warning notice-alt"><p>%s</p></div>',
-			sprintf(
-				__( 'Management of this plugin has been limited for security reasons. Please contact the <a href="mailto:%1$s">plugins team (%1$s)</a> for assistance to add/remove committers, or to perform other actions that are unavailable.', 'wporg-plugins' ),
-				'plugins@wordpress.org'
-			)
+		return;
+	}
+
+	$section = $is_beta ? __( 'Beta', 'wporg-plugins' ) : __( 'Featured', 'wporg-plugins' );
+	$is_owner = get_current_user_id() == $post->post_author;
+
+	if ( $is_owner ) {
+		$message = sprintf(
+			/* translators: 1: section name (Beta/Featured), 2: plugins team email address */
+			__( 'This plugin is listed in the %1$s section. Some management features have been limited for security reasons. Please contact the <a href="mailto:%2$s">plugins team (%2$s)</a> for assistance with closing or transferring this plugin.', 'wporg-plugins' ),
+			$section,
+			'plugins@wordpress.org'
+		);
+	} else {
+		$owner = get_user_by( 'ID', $post->post_author );
+		$message = sprintf(
+			/* translators: 1: section name (Beta/Featured), 2: plugin owner display name, 3: plugins team email address */
+			__( 'This plugin is listed in the %1$s section. Some management features have been limited for security reasons. Only the plugin owner (%2$s) can manage committers. Please contact the <a href="mailto:%3$s">plugins team (%3$s)</a> for assistance with closing or transferring this plugin.', 'wporg-plugins' ),
+			$section,
+			esc_html( $owner->display_name ),
+			'plugins@wordpress.org'
 		);
 	}
+
+	printf(
+		'<div class="plugin-notice notice notice-warning notice-alt"><p>%s</p></div>',
+		$message
+	);
 }
 
 /**
