id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
22895	user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages	kevinB		"Utilization of the new separation edit_posts /create_posts capability separation reveals a flaw in admin menu privilege checking.

The issue occurs when:

1. For any post type other the ""post"", the user has $type->cap->edit_posts but not $type->cap->create_posts

2. User also does not have a manage_terms capability for any associated taxonomies

In that situation, access to ""edit.php?post_type=whatever"" fails unless the user has the ""edit_posts"" cap for the ""post"" type.

This occurs because:

1. '''wp-admin/includes/menu.php''' removes solitary submenus that have the same destination as the parent

2. '''get_admin_page_parent()''' returns nullstring if there is no $submenu item

3. '''user_can_access_admin_page()''' performs a type-sensitive capability check only if get_admin_page_parent() returns an existing $submenu key.

For now, my plugin workaround is to hook into 'admin_menu' and add a dummy submenu with nullstring caption. "	defect (bug)	new	normal	3.6	Role/Capability	3.5	normal			johnbillion