#14343 closed defect (bug) (fixed)
user_can_access_admin_page not recognising taxonomies
Reported by: | ClementN | Owned by: | |
---|---|---|---|
Milestone: | 3.0.1 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Taxonomy | Keywords: | dev-feedback |
Focuses: | Cc: |
Description
Hello,
I have a custom taxonomy with custom capabilities.
The "edit_customtaxonomy" cap is removed from all roles.
The problem is that the user is still able to click on each term (in the taxonomy page).
When each term is clicked, the user goes to the "Update term" page and he is able to click the "Update" submit button.
After all, he can't update and get a "cheatin huh?" message.
The problem is they should't have access to the update page from the first place.
Attachments (1)
Change History (12)
#1
@
14 years ago
- Summary changed from Custom taxonomy capabilities (update term) to user_can_access_admin_page not recognising taxonomies
#7
@
14 years ago
- Milestone changed from 3.0.1 to 3.1
user_can_access_admin_page() should never be relied upon. It is a fallback. We can look into fixing it for pages that have query args in 3.1.
#8
@
14 years ago
- Keywords dev-feedback added
@ryan: what do you want to do about this one? Stick with quick fix for 3.1 and revisit in 3.2, or will someone patch for 3.1 in time?
This happens for any taxonomy, not just custom defined ones (try visiting
edit-tags.php?taxonomy=category
as a subscriber). The root of the problem is thatuser_can_access_admin_page()
is not recognising theedit-tags.php?taxonomy=TAX_NAME
entry in$_wp_submenu_nopriv
since the pagenow global is set to edit-tags.php (note lack of query string).Quick fix patch (not addressing problem described above) emulates behaviour in edit.php; implements a secondary check after the check in menu.php should deny access.
NB: the the links are all being removed from the menu, talking about visiting the URL directly as a user without the correct privileges.