WordPress.org

Make WordPress Core

Opened 7 years ago

Last modified 2 years ago

#18209 reopened defect (bug)

Capabilities with misplaced dependencies in edit_theme_options

Reported by: Clorith Owned by: nacin
Milestone: Future Release Priority: normal
Severity: normal Version: 3.2.1
Component: Menus Keywords: has-patch
Focuses: administration Cc:

Description

When setting capabilities for other groups, the user is unable to add to theme options with just edit_theme_options if they do not also have edit_posts capabilities. The user will be able to delete things like menu elements, but may not add them without this flag.

How to reproduce;

Edit capabilities of group removing all POSTS to hide the Posts Dashboard pages (works by just removing edit_posts as well). Give group edit_theme_options capabilities to edit their own menus. Users may now access the Theme Options, and may delete objects. User can add menu items to the preview, but once they Save these, the changes are not committed without the edit_posts permission.

Attachments (1)

18209.diff (543 bytes) - added by blepoxp 4 years ago.

Download all attachments as: .zip

Change History (9)

#1 @Obfuscated
5 years ago

Found a workaround to this by changing the capabilities for the nav_menu taxonomy

global $wp_taxonomies;
$wp_taxonomies['nav_menu']->cap->assign_terms = 'edit_theme_options';

#2 @nacin
4 years ago

  • Component changed from Themes to Menus
  • Focuses administration added
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 3.9

Interesting! Sorry I never saw this ticket. Looks like nav menus should indeed gain edit_theme_options for its capabilities. This is an interesting side effect of having cap checks inside wp_insert_post().

@blepoxp
4 years ago

#3 @blepoxp
4 years ago

  • Keywords has-patch added; needs-patch removed

First diff in a couple years. Let me know if its not formatted correctly. Wasn't sure if the 'no new line' would be an issue. I think VIM caused that.

#4 @nacin
4 years ago

  • Milestone changed from 3.9 to Future Release
  • Priority changed from normal to low
  • Severity changed from normal to minor

I think this was fixed by #27113 ([27556]). I'd still like to fix this but I'd like to make sure we get it right. For example, do any other caps need to change?

#5 @nacin
4 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27717:

Ensure the $path is trailing-slashed in domain_exists().

props ejdanderson, ericmann.
fixes #18209.

#6 @nacin
4 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Oops, [27717] was meant for #20589.

Last edited 4 years ago by nacin (previous) (diff)

#7 @chriscct7
3 years ago

  • Priority changed from low to normal
  • Severity changed from minor to normal

This ticket was mentioned in Slack in #core by clorith. View the logs.


2 years ago

Note: See TracTickets for help on using tickets.