WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#12455 closed defect (bug) (fixed)

Options.php cleanup

Reported by: dd32 Owned by: dd32
Milestone: 3.0 Priority: normal
Severity: normal Version: 3.0
Component: General Keywords: has-patch needs-testing
Focuses: Cc:

Description

The 2.9 options.php only contained 2 cases where exiting was required, Specifically, if ( !current_user_can('manage_options') ) and if the whitelisted page was not available.

trunk currently contains a few Multisite additions for death of the loading, Some of these apply to non-MS installs as well.

Attached patch is an attempt at cleaning up some blocks of the code.

  • Consolidates wp_die()'s to the top of the file
    • Multisite checks allow for non-super-admins to update options, not to access the options.php page
  • Code formatting
  • Reduced if branching
  • Removes single-case switch in favour of if

Attachments (1)

12455.diff (5.6 KB) - added by dd32 6 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 @dd326 years ago

  • Keywords needs-testing added

Some testing under Multisite, and with various plugins would be appreciated.

@dd326 years ago

comment:2 @dd326 years ago

  • Owner set to dd32
  • Status changed from new to accepted

comment:3 follow-up: @Denis-de-Bernardy6 years ago

I'd like to suggest an additional enhancement: if the site is not multisite, only the user whose email corresponds to the admin email can browse that screen.

comment:4 in reply to: ↑ 3 @nacin6 years ago

Replying to Denis-de-Bernardy:

I'd like to suggest an additional enhancement: if the site is not multisite, only the user whose email corresponds to the admin email can browse that screen.

-1 for two reasons. One, this should be handled by capabilities. If manage_options isn't specific enough, then we can come up with another that can be removed by a plugin for certain users. Even then, a plugin should be able to deny options.php for certain holders of a manage_options cap.

Two, there's zero guarantee that there is a matching account to the admin email. If we ever start thinking about an owner/super-admin role that can be linked directly to the admin email, then this perhaps comes into play, but otherwise, you can't make that assumption.

comment:5 @dd325 years ago

(In [13627]) Cleanup of options.php. Adds concise&early wp_die()'s, reformats some poorly chosen branching. See #12455

comment:6 @dd325 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed
Note: See TracTickets for help on using tickets.