Make WordPress Core

Opened 14 years ago

Closed 11 years ago

Last modified 11 years ago

#14343 closed defect (bug) (fixed)

user_can_access_admin_page not recognising taxonomies

Reported by: clementn's profile ClementN Owned by:
Milestone: 3.0.1 Priority: normal
Severity: normal Version: 3.0
Component: Taxonomy Keywords: dev-feedback
Focuses: Cc:

Description

Hello,

I have a custom taxonomy with custom capabilities.
The "edit_customtaxonomy" cap is removed from all roles.

The problem is that the user is still able to click on each term (in the taxonomy page).
When each term is clicked, the user goes to the "Update term" page and he is able to click the "Update" submit button.

After all, he can't update and get a "cheatin huh?" message.

The problem is they should't have access to the update page from the first place.


Attachments (1)

14343.diff (462 bytes) - added by duck_ 14 years ago.

Download all attachments as: .zip

Change History (12)

#1 @duck_
14 years ago

  • Summary changed from Custom taxonomy capabilities (update term) to user_can_access_admin_page not recognising taxonomies

This happens for any taxonomy, not just custom defined ones (try visiting edit-tags.php?taxonomy=category as a subscriber). The root of the problem is that user_can_access_admin_page() is not recognising the edit-tags.php?taxonomy=TAX_NAME entry in $_wp_submenu_nopriv since the pagenow global is set to edit-tags.php (note lack of query string).

Quick fix patch (not addressing problem described above) emulates behaviour in edit.php; implements a secondary check after the check in menu.php should deny access.

NB: the the links are all being removed from the menu, talking about visiting the URL directly as a user without the correct privileges.

@duck_
14 years ago

#2 @ryan
14 years ago

  • Milestone changed from Awaiting Review to 3.0.1

#3 @ryan
14 years ago

(In [15439]) Add cap check. Props duck_. see #14343

#4 @ryan
14 years ago

(In [15440]) Add cap check. Props duck_. see #14343 for 3.0.1

#5 @ryan
14 years ago

(In [15441]) Add cap check. see #14343

#6 @ryan
14 years ago

(In [15442]) Add cap check. see #14343

#7 @ryan
14 years ago

  • Milestone changed from 3.0.1 to 3.1

user_can_access_admin_page() should never be relied upon. It is a fallback. We can look into fixing it for pages that have query args in 3.1.

#8 @jane
14 years ago

  • Keywords dev-feedback added

@ryan: what do you want to do about this one? Stick with quick fix for 3.1 and revisit in 3.2, or will someone patch for 3.1 in time?

#9 @ryan
14 years ago

  • Milestone changed from 3.1 to Future Release

#10 @wonderboymusic
11 years ago

  • Resolution set to fixed
  • Status changed from new to closed

This patch made it into core

#11 @SergeyBiryukov
11 years ago

  • Milestone changed from Future Release to 3.0.1
Note: See TracTickets for help on using tickets.