WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#11935 closed defect (bug) (fixed)

Only show "Add New" button on plugins.php if the user has the install_plugins capability

Reported by: jamescollins Owned by:
Milestone: 3.0 Priority: normal
Severity: normal Version: 2.9.1
Component: Administration Keywords:
Focuses: Cc:

Description

In WP 2.9.1, wp-admin/plugins.php shows an "Add New" button next to the "Manage Plugins" title regardless of whether the user has these permissions or not:

http://core.trac.wordpress.org/browser/tags/2.9.1/wp-admin/plugins.php#L278

This "Add New" button should only be shown if the user has the install_plugins capability.

Attachments (3)

11935.diff (679 bytes) - added by jamescollins 6 years ago.
Patch against r12750
11935.themes.diff (720 bytes) - added by nacin 6 years ago.
install_themes as well
11935.themes.2.diff (720 bytes) - added by nacin 6 years ago.
Typo fix.

Download all attachments as: .zip

Change History (12)

@jamescollins6 years ago

Patch against r12750

comment:1 follow-up: @jamescollins6 years ago

  • Keywords has-patch added

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Instead of checking for:

if ( !is_multisite() || is_super_admin() )

It should check for:

if ( current_user_can('install_plugins') )

Simple patch attached.

@nacin6 years ago

install_themes as well

comment:2 @nacin6 years ago

  • Keywords commit added

Second patch for themes as well.

map_meta_cap() handles multisite checking, so the switch to current_user_can() is right.

There might be a few more instances of ( !is_multisite() || is_super_admin() ) that can be replaced with a simple current_user_can() check.

comment:3 @nacin6 years ago

Looks like there are a few more checks like these in plugins.php and themes.php that can be replaced with a cap check. Patch attached.

comment:4 @nacin6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Oops, never uploaded the patch. No matter, ryan just committed this and more in [12753].

@nacin6 years ago

Typo fix.

comment:5 @nacin6 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:6 @ryan6 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

comment:7 in reply to: ↑ 1 ; follow-ups: @hakre6 years ago

Replying to jamescollins:

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Why is there WPMU Merge related code in 2.9 ???

comment:8 in reply to: ↑ 7 @hakre6 years ago

Replying to hakre:

Replying to jamescollins:

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Why is there WPMU Merge related code in 2.9 ???

My fault, [12750] is trunk.

comment:9 in reply to: ↑ 7 @jamescollins6 years ago

  • Keywords has-patch commit removed

Replying to hakre:

Replying to jamescollins:

Since WP 2.9.1, [12750] introduced a permissions check (which is related to the WPMU merge).

Why is there WPMU Merge related code in 2.9 ???

Sorry for the confusion.

I meant that in WP 2.9.1 there was no capability check for the add new button, then in [12722] the multisite permissions check was added to trunk.

Note: See TracTickets for help on using tickets.