From 7bb8dc6269d7b1972f87fa2ee0ac6b9a8a6193f2 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Thu, 11 Aug 2022 18:22:59 +0000
Subject: [PATCH] Application Passwords: Allow a Super Admin to set an
 application password on a site they're not a member of.

This removes the requirement that a Super Admin must be a member of the current site when they attempt to set an application password within the admin area of an individual site on the network.

Props TimothyBlynJacobs, ilovecats7, johnbillion, georgestephanis, johnjamesjacoby

Fixes #53224


git-svn-id: https://develop.svn.wordpress.org/trunk@53882 602fd350-edb4-49c9-b593-d223f7449a82
---
 ...-rest-application-passwords-controller.php |  2 +-
 .../rest-application-passwords-controller.php | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
index af920d21f5..b0ac65a647 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php
@@ -719,7 +719,7 @@ class WP_REST_Application_Passwords_Controller extends WP_REST_Controller {
 			return $error;
 		}
 
-		if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) {
+		if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && ! is_user_member_of_blog( $user->ID ) ) {
 			return $error;
 		}
 
diff --git a/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php b/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php
index 993dd2d7c0..d4418f62cd 100644
--- a/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php
@@ -409,6 +409,32 @@ class WP_Test_REST_Application_Passwords_Controller extends WP_Test_REST_Control
 		$this->assertErrorResponse( 'rest_user_invalid_id', $response, 404 );
 	}
 
+	/**
+	 * @ticket 53224
+	 * @group ms-required
+	 */
+	public function test_create_item_for_super_admin_on_site_where_they_are_not_a_member() {
+		wp_set_current_user( self::$admin );
+
+		// Create a site where the Super Admin is not a member.
+		$blog_id = self::factory()->blog->create(
+			array(
+				'user_id' => self::$subscriber_id,
+			)
+		);
+
+		switch_to_blog( $blog_id );
+
+		$request = new WP_REST_Request( 'POST', '/wp/v2/users/me/application-passwords' );
+		$request->set_body_params( array( 'name' => 'App' ) );
+		$response = rest_do_request( $request );
+
+		restore_current_blog();
+
+		$this->assertNotWPError( $response );
+		$this->assertSame( 201, $response->get_status() );
+	}
+
 	/**
 	 * @ticket 51939
 	 */