id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
22895,user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages,kevinB,,"Utilization of the new separation edit_posts /create_posts capability separation reveals a flaw in admin menu privilege checking.

The issue occurs when:

1. For any post type other the ""post"", the user has $type->cap->edit_posts but not $type->cap->create_posts

2. User also does not have a manage_terms capability for any associated taxonomies

In that situation, access to ""edit.php?post_type=whatever"" fails unless the user has the ""edit_posts"" cap for the ""post"" type.

This occurs because:

1. '''wp-admin/includes/menu.php''' removes solitary submenus that have the same destination as the parent

2. '''get_admin_page_parent()''' returns nullstring if there is no $submenu item

3. '''user_can_access_admin_page()''' performs a type-sensitive capability check only if get_admin_page_parent() returns an existing $submenu key.

For now, my plugin workaround is to hook into 'admin_menu' and add a dummy submenu with nullstring caption. ",defect (bug),new,normal,3.6,Role/Capability,3.5,normal,,,johnbillion