WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

#11770 closed defect (bug) (fixed)

inconsistencies in the WPMU menu permissions

Reported by: Denis-de-Bernardy Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Multisite Keywords: 2nd-opinion
Focuses: Cc:

Description

in wpmu_menu(), we have:

unset( $submenu['plugins.php'][15] ); // always remove the plugin editor

but further down in list_activate_sitewide_plugins(), we have:

if ( current_user_can('edit_plugins') ...

firstly, if memory serves, the non-existence of the menu item should make this trigger an error if it's clicked. (if not, we should add some more CYA permission checks similar to those we introduced around WP 2.8.1 and 2.8.2.)

secondly, does it really make any sense to add this check on a MU site? it sounds like a recipe for breaking an installation.

Change History (2)

comment:1 @Denis-de-Bernardy6 years ago

cherrie on the pie: disable_some_pages() explicitly disables the plugin editor.

comment:2 @ryan6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12764]) Remove disable_some_pages(). Rely on cap checks. fixes #11770

Note: See TracTickets for help on using tickets.