WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#10313 closed defect (bug) (wontfix)

Editors not allowed to save settings on themes / plugins

Reported by: alignak Owned by:
Milestone: Priority: normal
Severity: major Version: 2.8
Component: Role/Capability Keywords:
Focuses: Cc:

Description

Considering the simplest plugin code that saves some text on database (see sample attached).

Login with your ADMIN username, and you will be able to save those settings to database.

Now login with any EDITOR level user, and try to save the settings.
You will get the message "Cheatin’ uh?" on yourdomain.com/wp-admin/options.php

Also noticed that the level 5 was defined so editors should be able to save that with no problems at all.

Tested up to 2.8.1 beta2

Attachments (1)

samplescode.phps (1.5 KB) - added by alignak 5 years ago.
Sample code, and prove of evidence

Download all attachments as: .zip

Change History (4)

alignak5 years ago

Sample code, and prove of evidence

comment:1 dd325 years ago

  • Milestone 2.8.1 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Consider this: Are your editors supposed to be able to modify global blog options, or to add/manage postings.

If you so wish for your editor levels to be able to manage the entire blog, you need to install a Role managing plugin and grant the priviledge 'manage_options' to the Editor Role.

comment:2 dd325 years ago

Of course, The other way to look at it, that this reporter is seeing it as is:

The plugin has specified its page can be viewed by non-admins, therefor, options.php should allow this users of this level to modify any of that pages optiosn (Perhaps using the Whitelisting functionality??)

Eitherway, It'll require more code on the plugins behalf. Either whitelisting with some new functionality in WP, Or for the plugin to post to itself and handle permissions instead.

comment:3 hakre5 years ago

IMHO and that is the approach I know by others and me since really years, is to actually handle own plugin / theme options on the plugins/theme behalf. This can be easily done with get_option() and the like.

Note: See TracTickets for help on using tickets.