Pages Hooked by add_menu_page() Have No Security
|Reported by:||miqrogroove||Owned by:||westi|
... continued from #10310
They are roles. That could be the problem.
Nah, the $access_level parameter has never been implemented for add_menu_page. wp-admin/menu.php displays all top level menus unless all children are forbidden. The hooks for those top level pages are totally unchecked.
For clarity, the flow of control:
- In add_menu_page(), the callback function gets hooked unconditionally. $access_level is ignored.
- In wp-admin/menu.php, current_user_can() is called after the user has failed every submenu permissions check unanimously. If any one test passes, then current_user_can() never runs.
- In wp-admin/menu.php, user_can_access_admin_page() is called.
- user_can_access_admin_page() performs a last-ditch check for $_wp_menu_nopriv, which is never set unless current_user_can() gets called in step 2.
- admin.php calls do_action($page_hook);
Change History (17)
- Keywords reporter-feedback added; has-patch removed
- Owner set to westi
- Status changed from new to accepted