WordPress.org
Get WordPress

Make WordPress Core

Opened 15 years ago

Closed 15 years ago

Last modified 15 years ago

#11935 closed defect (bug) (fixed)

Only show "Add New" button on plugins.php if the user has the install_plugins capability

Reported by: jamescollins's profile jamescollins Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 2.9.1
Component: Administration Keywords:
Focuses: Cc:

Description

In WP 2.9.1, wp-admin/plugins.php shows an "Add New" button next to the "Manage Plugins" title regardless of whether the user has these permissions or not:

http://core.trac.wordpress.org/browser/tags/2.9.1/wp-admin/plugins.php#L278

This "Add New" button should only be shown if the user has the install_plugins capability.

Attachments (3)

11935.diff (679 bytes) - added by jamescollins 15 years ago.
Patch against r12750
11935.themes.diff (720 bytes) - added by nacin 15 years ago.
install_themes as well
11935.themes.2.diff (720 bytes) - added by nacin 15 years ago.
Typo fix.

Download all attachments as: .zip

Change History (12)

@jamescollins
15 years ago

Patch against r12750

#1 follow-up: @jamescollins
15 years ago

  • Keywords has-patch added

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Instead of checking for:

if ( !is_multisite() || is_super_admin() )

It should check for:

if ( current_user_can('install_plugins') )

Simple patch attached.

@nacin
15 years ago

install_themes as well

#2 @nacin
15 years ago

  • Keywords commit added

Second patch for themes as well.

map_meta_cap() handles multisite checking, so the switch to current_user_can() is right.

There might be a few more instances of ( !is_multisite() || is_super_admin() ) that can be replaced with a simple current_user_can() check.

#3 @nacin
15 years ago

Looks like there are a few more checks like these in plugins.php and themes.php that can be replaced with a cap check. Patch attached.

#4 @nacin
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Oops, never uploaded the patch. No matter, ryan just committed this and more in [12753].

@nacin
15 years ago

Typo fix.

#5 @nacin
15 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

#6 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

[12754]

#7 in reply to: ↑ 1 ; follow-ups: @hakre
15 years ago

Replying to jamescollins:

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Why is there WPMU Merge related code in 2.9 ???

#8 in reply to: ↑ 7 @hakre
15 years ago

Replying to hakre:

Replying to jamescollins:

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Why is there WPMU Merge related code in 2.9 ???

My fault, [12750] is trunk.

#9 in reply to: ↑ 7 @jamescollins
15 years ago

  • Keywords has-patch commit removed

Replying to hakre:

Replying to jamescollins:

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Why is there WPMU Merge related code in 2.9 ???

Sorry for the confusion.

I meant that in WP 2.9.1 there was no capability check for the add new button, then in [12722] the multisite permissions check was added to trunk.

Note: See TracTickets for help on using tickets.