Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#11770 closed defect (bug) (fixed)

inconsistencies in the WPMU menu permissions

Reported by: Denis-de-Bernardy Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: Multisite Keywords: 2nd-opinion
Focuses: Cc:


in wpmu_menu(), we have:

unset( $submenu['plugins.php'][15] ); // always remove the plugin editor

but further down in list_activate_sitewide_plugins(), we have:

if ( current_user_can('edit_plugins') ...

firstly, if memory serves, the non-existence of the menu item should make this trigger an error if it's clicked. (if not, we should add some more CYA permission checks similar to those we introduced around WP 2.8.1 and 2.8.2.)

secondly, does it really make any sense to add this check on a MU site? it sounds like a recipe for breaking an installation.

Change History (2)

#1 @Denis-de-Bernardy
12 years ago

cherrie on the pie: disable_some_pages() explicitly disables the plugin editor.

#2 @ryan
12 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12764]) Remove disable_some_pages(). Rely on cap checks. fixes #11770

Note: See TracTickets for help on using tickets.