Goal
Modify the existing customer-facing ?page=account admin page (and sibling customer-panel pages) so it works on the main site for sovereign-tenant customers. Today it expects to render inside the customer's own subsite; under ADR-001 Amendment 1 (downstream Ultimate-Multisite/ultimate-multisite-multi-tenancy#86, #87), sovereign-tenant customers visit it on the main-site domain instead.
No new admin pages — modify, don't replace. This resolves §8 Q3 (PR #87).
Files to modify
| File |
Change |
inc/admin-pages/customer-panel/class-account-admin-page.php |
(1) Drop the "current site is the customer's site" assumption — derive customer context from wp_get_current_user() instead. (2) Accept optional ?return_to=<url> query arg; if present, render a "Back to your site" link that points at the return URL. (3) Ensure capability gates work for main-site context (current customer caps should already work; verify). |
inc/admin-pages/customer-panel/class-my-sites-admin-page.php |
Same three changes; "My Sites" lists the customer's sites across the network including sovereign tenants, each linking to its own domain (not back to a ?blog_id= switch). |
inc/admin-pages/customer-panel/class-template-switching-admin-page.php |
Same changes; template-switching action targets a specific site, identified via a query arg or selector rather than get_current_blog_id(). |
inc/admin-pages/customer-panel/class-checkout-admin-page.php |
If checkout is reached from a sovereign-tenant context, ensure the return-to-tenant flow works. |
inc/admin-pages/customer-panel/class-add-new-site-admin-page.php |
Sovereign-tenant customers should be able to add additional sites; verify no regressions for the main-site context. |
Return-to-tenant flow
When a sovereign-tenant customer clicks "Manage on main site" (from 3-A7 redirects), the URL is:
https://main-site.example/wp-admin/admin.php?page=account&return_to=https%3A%2F%2Fcustomer-tenant.example%2Fwp-admin%2F
The account page renders normally; somewhere in the page header (or footer) it includes a prominent "← Back to {tenant-site-name}" link pointing at the decoded return_to URL. The link uses Phase 2 SSO so the customer doesn't have to re-authenticate.
return_to must be validated: only URLs whose host matches a known sovereign tenant of the current customer are accepted; anything else falls back to no link.
"Current site" assumption removal
Existing code patterns to find and fix:
$current_site = wu_get_current_site(); // assumes the user is browsing their own site
$blog_id = get_current_blog_id(); // assumes that's the customer's site
$current_user = wp_get_current_user();
$membership = $current_user->get_membership(); // may need to switch to membership-driven context
Replace "current site" with "current customer's primary site" or "the site identified by the URL query arg" (e.g. ?site_id=42 for multi-site customers).
Reference patterns
wp_get_current_user() and the customer model lookup pattern: see existing Customer::get_by_user_id() in inc/models/class-customer.php.- Phase 2 SSO token issue: downstream
inc/network/class-auth-token-manager.php — the main site mints an SSO token, the tenant validates it. The return_to link should include the SSO token in its URL query.
- Existing customer-panel pages already handle main-site context for some operations; this issue brings the rest of the pages into line.
Verification
- From a sovereign tenant, click "Manage on main site" on the Account_Summary element (added in 3-A7); verify you land on
https://main-site/wp-admin/admin.php?page=account with the customer's data visible.
- The "← Back to {tenant}" link is present and points at the original tenant URL via SSO.
- From the main site, the same page renders normally for non-sovereign customers (no regression).
- A malicious
?return_to=https://evil.example/ falls back to no link (validation rejects unknown hosts).
- Multi-site customers see all their sites in My_Sites including sovereign tenants, each linking to its own domain.
ADR context
ADR-001 Amendment 1 §4.3 "PR-C" + §8 resolved Q3 + §11 decision log.
Tier
Tier:2 — five admin pages, return-URL flow, SSO integration, validation.
Ref Ultimate-Multisite/ultimate-multisite-multi-tenancy#86
Ref Ultimate-Multisite/ultimate-multisite-multi-tenancy#87
aidevops.sh v3.17.28 plugin for OpenCode v1.15.7 with claude-opus-4-7 spent 17h 9m and 125,709 tokens on this with the user in an interactive session.
Goal
Modify the existing customer-facing
?page=accountadmin page (and sibling customer-panel pages) so it works on the main site for sovereign-tenant customers. Today it expects to render inside the customer's own subsite; under ADR-001 Amendment 1 (downstreamUltimate-Multisite/ultimate-multisite-multi-tenancy#86, #87), sovereign-tenant customers visit it on the main-site domain instead.No new admin pages — modify, don't replace. This resolves §8 Q3 (PR #87).
Files to modify
inc/admin-pages/customer-panel/class-account-admin-page.phpwp_get_current_user()instead. (2) Accept optional?return_to=<url>query arg; if present, render a "Back to your site" link that points at the return URL. (3) Ensure capability gates work for main-site context (current customer caps should already work; verify).inc/admin-pages/customer-panel/class-my-sites-admin-page.php?blog_id=switch).inc/admin-pages/customer-panel/class-template-switching-admin-page.phpget_current_blog_id().inc/admin-pages/customer-panel/class-checkout-admin-page.phpinc/admin-pages/customer-panel/class-add-new-site-admin-page.phpReturn-to-tenant flow
When a sovereign-tenant customer clicks "Manage on main site" (from 3-A7 redirects), the URL is:
The account page renders normally; somewhere in the page header (or footer) it includes a prominent "← Back to {tenant-site-name}" link pointing at the decoded
return_toURL. The link uses Phase 2 SSO so the customer doesn't have to re-authenticate.return_tomust be validated: only URLs whose host matches a known sovereign tenant of the current customer are accepted; anything else falls back to no link."Current site" assumption removal
Existing code patterns to find and fix:
Replace "current site" with "current customer's primary site" or "the site identified by the URL query arg" (e.g.
?site_id=42for multi-site customers).Reference patterns
wp_get_current_user()and the customer model lookup pattern: see existingCustomer::get_by_user_id()ininc/models/class-customer.php.inc/network/class-auth-token-manager.php— the main site mints an SSO token, the tenant validates it. Thereturn_tolink should include the SSO token in its URL query.Verification
https://main-site/wp-admin/admin.php?page=accountwith the customer's data visible.?return_to=https://evil.example/falls back to no link (validation rejects unknown hosts).ADR context
ADR-001 Amendment 1 §4.3 "PR-C" + §8 resolved Q3 + §11 decision log.
Tier
Tier:2 — five admin pages, return-URL flow, SSO integration, validation.
Ref Ultimate-Multisite/ultimate-multisite-multi-tenancy#86
Ref Ultimate-Multisite/ultimate-multisite-multi-tenancy#87
aidevops.sh v3.17.28 plugin for OpenCode v1.15.7 with claude-opus-4-7 spent 17h 9m and 125,709 tokens on this with the user in an interactive session.