WordPress.org

Make WordPress Core

Opened 6 years ago

Last modified 3 years ago

#19415 new defect (bug)

wp_nav_menu showing private/conctepts posts without rights

Reported by: thomask Owned by:
Milestone: Awaiting Review Priority: normal
Severity: major Version: 3.0
Component: Menus Keywords: has-patch
Focuses: Cc:

Description

when you are using wordpress menus and you got your post/page in a menu (e.g. using Automatically add new top-level pages) and then change the post/page to concept or set it private, the link to post/page stays in the menu for all users, what may have some negative security concerns

this error in all versions, including todays nightly

IMO it should show only visible posts (if someone disagrees and need it for some backward compatibility, there may be some parameter, but imo hidding private/concept should be default)

Attachments (1)

19415.diff (1.6 KB) - added by ninnypants 3 years ago.

Download all attachments as: .zip

Change History (6)

#1 in reply to: ↑ description @linuxologos
6 years ago

  • Version changed from 3.3 to 3.0

this error in all versions, including todays nightly

#3 @Offereins
6 years ago

  • Cc lmoffereins@… added

Isn't this easy to fix with a filter on wp_nav_menu_objects checking the readability of the object (if post or cpt) for the current user and handling the array accordingly? Or does this need a check before that on querying the DB?
Anyways, can someone tell if this is looked at ever since reporting?

@ninnypants
3 years ago

#4 @ninnypants
3 years ago

  • Keywords has-patch added

19415.diff Sets up auto remove for any post object removed from a publicly visible status. Basically anything that wouldn't show up to be added in Apperance > Menus is auto removed.

#5 @SergeyBiryukov
3 years ago

  • Component changed from Security to Menus
Note: See TracTickets for help on using tickets.