Opened 5 months ago
Last modified 17 hours ago
#22895 new defect (bug)
user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.6 |
| Component: | Role/Capability | Version: | 3.5 |
| Severity: | normal | Keywords: | has-patch needs-testing |
| Cc: | johnbillion |
Description
Utilization of the new separation edit_posts /create_posts capability separation reveals a flaw in admin menu privilege checking.
The issue occurs when:
- For any post type other the "post", the user has $type->cap->edit_posts but not $type->cap->create_posts
- User also does not have a manage_terms capability for any associated taxonomies
In that situation, access to "edit.php?post_type=whatever" fails unless the user has the "edit_posts" cap for the "post" type.
This occurs because:
- wp-admin/includes/menu.php removes solitary submenus that have the same destination as the parent
- get_admin_page_parent() returns nullstring if there is no $submenu item
- user_can_access_admin_page() performs a type-sensitive capability check only if get_admin_page_parent() returns an existing $submenu key.
For now, my plugin workaround is to hook into 'admin_menu' and add a dummy submenu with nullstring caption.
Attachments (1)
Change History (10)
- Summary changed from user_can_admin_menu() is Type-Insensitive for Users who can't create pages to user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages
comment:4
johnbillion — 5 months ago
- Cc johnbillion added
comment:5
georgestephanis — 5 months ago
Blocking off some time on Saturday to wrangle this if noone else beats me to it.
comment:6
georgestephanis — 5 months ago
I'm trying to get the capabilities set up properly on a post type to duplicate this ... any chance you can paste me your register_post_type capabilities that you're using?
- Milestone changed from 3.5.1 to 3.6
22895.diff is a hack that allows user_can_access_admin_page() to respect edit.php?post_type= pages. It still does not respect edit-tags.php?taxonomy= pages, though, and neither does get_admin_page_parent(). Overall, the whole thing is a mess and needs to be rewritten. Fun. Even #12718 only touches the API, rather than the inner guts...
Since this is a new feature, and I'm not really sure of the possible breakage that could be caused by 22895.diff (one problem with the admin menu code is it is completely unmaintainable), I'm going to move this ticket to 3.6. So, 3.5 has create_posts with a caveat: It only works if the user has edit_posts, such as when the post type leverages edit_posts (like attachments do). Not the best, but also not something to go messing with a point release. Think of it as version 0.1.
comment:9
DrewAPicture — 17 hours ago
- Keywords has-patch needs-testing added
This will be obvious to some, but note that this issue only occurs when: