Admin custom option screen not saved unless user manage_options capability
|Reported by:||markauk||Owned by:||westi|
I have a custom options screen. The menu and sub-menu pages for that screen are set to show only if a user has a custom capability ('be_super_editor') in this case.
The options screen shows or not as expected if a user has or does not have the 'be_super_editor' capability.
However, the options cannot be updated unless the user has 'manage_options' capability as well. This seems to be wrong for two reasons:-
(1) if a capability allows an options screen to be accessed, it is reasonable to assume that the user should be able to make changes to that screen.
(2) giving these users 'manage_options' capability is not a good idea as that allows them to do other things that they shouldn't be able to do (e.g. access wp-admin/options.php directly).
Changing line 30 of wp-admin/options.php from:-
if ( !current_user_can('manage_options') )
if ( !current_user_can('manage_options') && 'update' != $action )
fixes the problem, though I don't know enough about the inner workings of WP security to say if this creates any further security/permissions issues.
Change History (26)
- Milestone changed from Awaiting Review to 3.1
- Type changed from defect (bug) to feature request
- Keywords has-patch added; needs-patch removed
- Milestone changed from Future Release to 3.2
- Owner set to nacin
- Resolution set to fixed
- Status changed from new to closed
- Owner changed from nacin to westi
- Status changed from reopened to reviewing