WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 8 months ago

Last modified 8 months ago

#14343 closed defect (bug) (fixed)

user_can_access_admin_page not recognising taxonomies

Reported by: ClementN Owned by:
Milestone: 3.0.1 Priority: normal
Severity: normal Version: 3.0
Component: Taxonomy Keywords: dev-feedback
Focuses: Cc:

Description

Hello,

I have a custom taxonomy with custom capabilities.
The "edit_customtaxonomy" cap is removed from all roles.

The problem is that the user is still able to click on each term (in the taxonomy page).
When each term is clicked, the user goes to the "Update term" page and he is able to click the "Update" submit button.

After all, he can't update and get a "cheatin huh?" message.

The problem is they should't have access to the update page from the first place.


Attachments (1)

14343.diff (462 bytes) - added by duck_ 4 years ago.

Download all attachments as: .zip

Change History (12)

comment:1 duck_4 years ago

  • Summary changed from Custom taxonomy capabilities (update term) to user_can_access_admin_page not recognising taxonomies

This happens for any taxonomy, not just custom defined ones (try visiting edit-tags.php?taxonomy=category as a subscriber). The root of the problem is that user_can_access_admin_page() is not recognising the edit-tags.php?taxonomy=TAX_NAME entry in $_wp_submenu_nopriv since the pagenow global is set to edit-tags.php (note lack of query string).

Quick fix patch (not addressing problem described above) emulates behaviour in edit.php; implements a secondary check after the check in menu.php should deny access.

NB: the the links are all being removed from the menu, talking about visiting the URL directly as a user without the correct privileges.

duck_4 years ago

comment:2 ryan4 years ago

  • Milestone changed from Awaiting Review to 3.0.1

comment:3 ryan4 years ago

(In [15439]) Add cap check. Props duck_. see #14343

comment:4 ryan4 years ago

(In [15440]) Add cap check. Props duck_. see #14343 for 3.0.1

comment:5 ryan4 years ago

(In [15441]) Add cap check. see #14343

comment:6 ryan4 years ago

(In [15442]) Add cap check. see #14343

comment:7 ryan4 years ago

  • Milestone changed from 3.0.1 to 3.1

user_can_access_admin_page() should never be relied upon. It is a fallback. We can look into fixing it for pages that have query args in 3.1.

comment:8 jane3 years ago

  • Keywords dev-feedback added

@ryan: what do you want to do about this one? Stick with quick fix for 3.1 and revisit in 3.2, or will someone patch for 3.1 in time?

comment:9 ryan3 years ago

  • Milestone changed from 3.1 to Future Release

comment:10 wonderboymusic8 months ago

  • Resolution set to fixed
  • Status changed from new to closed

This patch made it into core

comment:11 SergeyBiryukov8 months ago

  • Milestone changed from Future Release to 3.0.1
Note: See TracTickets for help on using tickets.