Opened 14 years ago
Closed 14 years ago
#15326 closed enhancement (fixed)
Always check capabilites in admin pages
Reported by: | westi | Owned by: | ryan |
---|---|---|---|
Milestone: | 3.1 | Priority: | high |
Severity: | normal | Version: | 3.1 |
Component: | Security | Keywords: | dev-feedback |
Focuses: | Cc: |
Description
WP_List_Table introduces a check_permissions() function which hides away the capabilities check inside the list table class so that it is easy to write a generic AJAX handler.
We should still have current_user_can() checks in the normal admin pages as it makes it easier to review for security holes.
Still doing it in the table classes is good defence in depth.
Attachments (1)
Change History (18)
#2
@
14 years ago
Also, what if we had check_permissions() instead just return a cap to check? Then we can just call current_user_can( $wp_list_table->cap() ). That cuts out redundant cycles and also makes it *very* clear what's going on. (It's arguably confusing why we're doing it twice.) We're also no longer really just using strings for capabilities, given the cap objects for taxonomies and post types.
#4
@
14 years ago
I don't like the current_user_can( $wp_list_table->cap())
because it still hides away the required cap in a lot of cases.
#11
@
14 years ago
Noticed some issues with how we were still doing things.
We need to change wp_die() in every check_permissions() method to die('-1').
15326.diff kills off check_permissions() entirely.
The new method is called ajax_user_can(). You return current_user_can() through it. In admin-ajax, we then die with -1 if appropriate.
Renaming it allows us to ensure that no one is using it incorrectly, as we'd be returning true/false rather than dying.
Conservative alternative: die with -1 in each handler. No need to rename the function.
#12
@
14 years ago
I really like ajax_user_can - I've been wanting to rename the function and this makes the checks even more obvious.
I hate hiding the dies/wp_dies in a function.
[16222] never hit the ticket.
wpdavis on IRC mentioned that he was getting 'Cheatin', uh?' on edit-tags.php. I couldn't track it down for a while, but sure enough, $tax isn't actually set at that point, or if it is, then it's because of a variable collision. Fixing now.