WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 9 months ago

#14530 reopened defect (bug)

Cheating huh?

Reported by: shidouhikari Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords: has-patch
Focuses: Cc:

Description

I've sen this infamous error msg more times than I wanted, in my own site where I'm admin.

That happens with more frequency when adding a new comment, but some times also inside admin pages.

I understand it's generally capability and permission tests that fail, and that happens in pages that ppl without permission to access them shouldn't see links to them, therefore they probably tried direct access to somewhere they shouldn't be going.

But also it happens when session expires or due to some bug. In this cases, the user is effectively not doing anything wrong, it may even be WP fault, and when that's the case the message is rude, even offensive to more emotional ppl.

Even worse, it gives no hint on what went wrong, so that user can try to fix it.

Then I suggest these messages to be changed, to more meaningful and also polite messages. Real cheaters and hackers will already have any info a message may provide, so a better explanation of what went wrong won't help them succeed in their attempt to hack a site, and will help a lot the victims of these errors.

Attachments (4)

chaetin.patch (13.9 KB) - added by mrmist 4 years ago.
Replace the cheatin message with a login message
14530-1.patch (13.6 KB) - added by kraftbj 15 months ago.
Change to You do not have sufficient permissions to access this page.
14530-2.patch (13.2 KB) - added by kraftbj 15 months ago.
Change to You do not have permission to view this page.
14530-3.patch (13.8 KB) - added by kraftbj 15 months ago.
Change to A permissions error occurred while attempting to access this page.

Download all attachments as: .zip

Change History (20)

comment:1 mrmist4 years ago

  • Owner set to mrmist
  • Status changed from new to accepted

Not a problem I've come across, but I agree with the sentiment. I'll see if I can put something together for it.

comment:2 nacin4 years ago

This warning should never be accessible via the UI. These are nothing more than sanity checks. If they can be accessed in a normal setup via the UI then that is a bug.

mrmist4 years ago

Replace the cheatin message with a login message

comment:3 mrmist4 years ago

  • Keywords has-patch added

Having checked this out, it's more difficult than I imagine to actually get one of these warnings. Nevertheless, on the off-chance that it's accessed by a valid user typing in a URL for a random page they don't have access to, attached patch with a more explanatory error.

comment:4 markmcwilliams4 years ago

Upon looking at the attached patch, would it be better to phrase the text as ... 'There was a problem loading this page, you may not have the necessary permissions, or may need to <a href="' . get_option('siteurl') . '/wp-login.php">' . __('login') . '</a> again?' ... so basically adding the again? after, more, if anything to make it make a little more sense?

comment:5 mrmist4 years ago

I did do it like that (with "again") originally, but on my screen it created word-wrap to the next line, which I didn't like, hence the way it is now. Trivial to do either way, really.

comment:6 mrmist4 years ago

  • Owner mrmist deleted
  • Status changed from accepted to assigned

comment:7 nacin3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

Per conversation in IRC from a few months ago, I'm going to close this as wontfix.

As I said, these are sanity checks. They're impossible to reach via the UI. (If they were, that would be a bug.) You need to hit a URL that you specifically don't have access to. You need to be logged in as well, so the link to wp-login is invalid.

comment:8 kraftbj15 months ago

  • Cc bk@… added
  • Resolution wontfix deleted
  • Status changed from closed to reopened

I'd like to request reconsideration of this ticket.

While rare, when encountered it gives an unprofessional appearance of WordPress. I had a contact from a perspective client who ditched their previous consultant primarily because, after seeing this error message, assumed the guy was doing something shading on his site.

I grant that for it to appear, the consultant was probably doing something wrong, but that isn't the point.

Despite the rarity, is there a reason that it should be kept at "Cheatin'" and not something else?

To recreate message:

  1. Log in to /wp-admin/ as privileged user (administrator, editor), etc. Leave that tab alone.
  2. In separate tab, visit /wp-login.php and login as a Subscriber user.
  3. In original tab, visit the Categories or Tags link (Posts->Tags, etc).

That workflow isn't common, but I could foresee someone in IT showing off a feature of WordPress to someone on the business side of a company and getting that message after mistakenly switching to the wrong tab/not re-logging in first/etc.

Three ideas:

  1. Use the standard permissions error message ("You do not have sufficient permissions to access this page.") and reduce a string for the polyglots.
  2. Use something slightly different to keep it unique to the cheater check. ("You do not have permission to view this page.")
  3. Something more unique ("A permissions error occurred while attempting to access this page.") to help polyglots keep it different.

Patches forthcoming for the three options.

tl;dr -- Sterilize the error a bit to make it more palatable to folks who don't understand our sense of humor. Nothing more needed.

Version 0, edited 15 months ago by kraftbj (next)

kraftbj15 months ago

Change to You do not have sufficient permissions to access this page.

kraftbj15 months ago

Change to You do not have permission to view this page.

kraftbj15 months ago

Change to A permissions error occurred while attempting to access this page.

comment:9 travisnorthcutt15 months ago

  • Cc travis@… added

+1 on this. I don't see any particular reason not to replace the (snarky, IMO) current message with something more explicit about what's going on.

comment:10 SergeyBiryukov15 months ago

  • Milestone set to Awaiting Review

comment:11 johnbillion15 months ago

This message would also benefit from having a link back to either the site home page, or the admin dashboard, so the message isn't such a dead end.

comment:12 kraftbj15 months ago

John-- I think you're right, but I think we should do that under a different ticket. The other "permission errors" do not include a link back, so my two cents is let's get the text changed, and focus another ticket on the link back.

A quick look at http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/functions.php#L2049 tells me there is a 'back_link' ability, so, without knowing the code better, may be another fix that is more proper than changing the text string.

comment:13 Dorian Speed15 months ago

  • Cc Dorian Speed added

I agree - I have been in the same situation of having a frustrated client encounter that message and assume there's something shady going on with his website. I like "A permissions error occurred while attempting to access this page."

comment:14 kraftbj12 months ago

FWIW, I'm helping out over on the WordPress.com forums and an user had the Cheatin' message appear. I think it was a similar reason as described in Comment 8.

http://en.forums.wordpress.com/topic/i-want-my-url-to-be-thisonetreewordpresscom-its-attached-to-my-other-email?replies=13#post-1257253

Despite the rarity, I think a more descriptive message would be a better UX.

comment:15 follow-up: tzkmx9 months ago

Hi, I'm getting this error "message" trying to activate some child themes. The funny part is they are all child of the same parent theme, and just one of the child themes loads in the customize screen, all others die into the "Cheatin' uh?" "message".

Same user, same permissions. The only bit I found wp_die function in customize.php is this:

if ( ! current_user_can( 'edit_theme_options' ) )
        wp_die( __( 'Cheatin&#8217; uh?' ) );

So, why is this? Have I different permissions according to the theme? Is there only one child theme allowed for any parent theme in a given WP installation?

FWIW, we are trying to setup several child themes for the same parent theme in network aimed to teach a few people how to extend WP themes without messing other people work.

comment:16 in reply to: ↑ 15 tzkmx9 months ago

Replying to tzkmx:

Same user, same permissions. The only bit I found wp_die function in customize.php is this:

if ( ! current_user_can( 'edit_theme_options' ) )
        wp_die( __( 'Cheatin&#8217; uh?' ) );

My bad, we were creating the stylesheets and template names were correct, but the child themes we couldn't activate, were those we haven't activated for the network yet. And we were seeing anyway those themes listed on every site, because a function on Hyper Admins plugin listed it.

I'd like to propose a patch to split the error message on permission, not only on edit_theme_options capability, but checking if the theme is enabled and giving the user the advice to enable for the site first. However I don't know which function could be used, if I discover a way to accomplish this, I'd be more helpful on this thread than just complaining about an uninformative error message.

Note: See TracTickets for help on using tickets.