Make WordPress Core

Opened 8 years ago

Closed 5 years ago

Last modified 5 years ago

#14343 closed defect (bug) (fixed)

user_can_access_admin_page not recognising taxonomies

Reported by: ClementN Owned by:
Milestone: 3.0.1 Priority: normal
Severity: normal Version: 3.0
Component: Taxonomy Keywords: dev-feedback
Focuses: Cc:



I have a custom taxonomy with custom capabilities. The "edit_customtaxonomy" cap is removed from all roles.

The problem is that the user is still able to click on each term (in the taxonomy page). When each term is clicked, the user goes to the "Update term" page and he is able to click the "Update" submit button.

After all, he can't update and get a "cheatin huh?" message.

The problem is they should't have access to the update page from the first place.

Attachments (1)

14343.diff (462 bytes) - added by duck_ 8 years ago.

Download all attachments as: .zip

Change History (12)

#1 @duck_
8 years ago

  • Summary changed from Custom taxonomy capabilities (update term) to user_can_access_admin_page not recognising taxonomies

This happens for any taxonomy, not just custom defined ones (try visiting edit-tags.php?taxonomy=category as a subscriber). The root of the problem is that user_can_access_admin_page() is not recognising the edit-tags.php?taxonomy=TAX_NAME entry in $_wp_submenu_nopriv since the pagenow global is set to edit-tags.php (note lack of query string).

Quick fix patch (not addressing problem described above) emulates behaviour in edit.php; implements a secondary check after the check in menu.php should deny access.

NB: the the links are all being removed from the menu, talking about visiting the URL directly as a user without the correct privileges.

8 years ago

#2 @ryan
8 years ago

  • Milestone changed from Awaiting Review to 3.0.1

#3 @ryan
8 years ago

(In [15439]) Add cap check. Props duck_. see #14343

#4 @ryan
8 years ago

(In [15440]) Add cap check. Props duck_. see #14343 for 3.0.1

#5 @ryan
8 years ago

(In [15441]) Add cap check. see #14343

#6 @ryan
8 years ago

(In [15442]) Add cap check. see #14343

#7 @ryan
8 years ago

  • Milestone changed from 3.0.1 to 3.1

user_can_access_admin_page() should never be relied upon. It is a fallback. We can look into fixing it for pages that have query args in 3.1.

#8 @jane
8 years ago

  • Keywords dev-feedback added

@ryan: what do you want to do about this one? Stick with quick fix for 3.1 and revisit in 3.2, or will someone patch for 3.1 in time?

#9 @ryan
7 years ago

  • Milestone changed from 3.1 to Future Release

#10 @wonderboymusic
5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

This patch made it into core

#11 @SergeyBiryukov
5 years ago

  • Milestone changed from Future Release to 3.0.1
Note: See TracTickets for help on using tickets.