user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages
|Reported by:||kevinB||Owned by:|
|Severity:||normal||Keywords:||has-patch needs-testing 3.7-early|
Utilization of the new separation edit_posts /create_posts capability separation reveals a flaw in admin menu privilege checking.
The issue occurs when:
- For any post type other the "post", the user has $type->cap->edit_posts but not $type->cap->create_posts
- User also does not have a manage_terms capability for any associated taxonomies
In that situation, access to "edit.php?post_type=whatever" fails unless the user has the "edit_posts" cap for the "post" type.
This occurs because:
- wp-admin/includes/menu.php removes solitary submenus that have the same destination as the parent
- get_admin_page_parent() returns nullstring if there is no $submenu item
- user_can_access_admin_page() performs a type-sensitive capability check only if get_admin_page_parent() returns an existing $submenu key.
For now, my plugin workaround is to hook into 'admin_menu' and add a dummy submenu with nullstring caption.
Change History (17)
- Summary changed from user_can_admin_menu() is Type-Insensitive for Users who can't create pages to user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages
comment:10 nacin — 5 months ago
- Keywords 3.7-early added
- Milestone changed from 3.6 to Future Release