In Multisite, Core only allows super admins to edit CSS by default. One of the reasons is that there are some security edge cases, especially in older browsers.
To allow site admins, you’ll need to grant them the edit_css
capability. It sounds like you tried to do that with your plugin, but without seeing the code there’s no way to troubleshoot that. You could edit your question to include a minimal reproducible example if you’d like help with that.
Here’s an example of how Jetpack does it:
/**
* Re-map the Edit CSS capability.
*
* Core, by default, restricts this to users that have `unfiltered_html` which
* would make the feature unusable in multi-site by non-super-admins, due to Core
* not shipping any solid sanitization.
*
* We're expanding who can use it, and then conditionally applying CSSTidy
* sanitization to users that do not have the `unfiltered_html` capability.
*
* @param array $caps Returns the user's actual capabilities.
* @param string $cap Capability name.
*
* @return array $caps
*/
public static function map_meta_cap( $caps, $cap ) {
if ( 'edit_css' === $cap ) {
$caps = array( 'edit_theme_options' );
}
return $caps;
}
To mitigate those security problems, you can sanitize the CSS when it’s saved. An example of that is how WordCamp.org does it. For more details you can see Sanitize User Entered CSS.