Make WordPress Core

Changeset 12893


Ignore:
Timestamp:
01/28/2010 10:07:51 PM (15 years ago)
Author:
westi
Message:

Menu hardening for the 2.8 branch see #11922

Location:
branches/2.8/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/2.8/wp-admin/includes/plugin.php

    r11629 r12893  
    593593
    594594    $hookname = get_plugin_page_hookname( $file, '' );
    595     if (!empty ( $function ) && !empty ( $hookname ))
     595    if (!empty ( $function ) && !empty ( $hookname ) && current_user_can( $access_level ) )
    596596        add_action( $hookname, $function );
    597597
  • branches/2.8/wp-admin/menu.php

    r11450 r12893  
    199199// Run re-parent loop again.
    200200foreach ( $menu as $id => $data ) {
     201    if ( ! current_user_can($data[1]) )
     202        $_wp_menu_nopriv[$data[2]] = true;
     203
    201204    // If submenu is empty...
    202205    if ( empty($submenu[$data[2]]) ) {
    203206        // And user doesn't have privs, remove menu.
    204         if ( ! current_user_can($data[1]) ) {
    205             $_wp_menu_nopriv[$data[2]] = true;
     207        if ( isset( $_wp_menu_nopriv[$data[2]] ) ) {
    206208            unset($menu[$id]);
    207209        }
Note: See TracChangeset for help on using the changeset viewer.