WordPress.org

Make WordPress Core

Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#22756 closed feature request (wontfix)

Limited user can set page as "child" of every page in WP

Reported by: kalor Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.4.2
Component: Role/Capability Keywords:
Focuses: Cc:

Description

After limiting user access, by changing it's role capabilities to edit_private_pages only, is still able to set page as a child of every page that's in the system.

That's easy way to make a mess in system, especially if menu is created from pages hierarchy.

IMO changing the pages hierarchy is part of page edition, and edit_private_pages should limit user to changing a pages hierarchy only with his own pages.

Change History (10)

comment:1 scribu17 months ago

  • Keywords dev-feedback removed

edit_private_pages should limit user to changing a pages hierarchy only with his own pages.

Doesn't it? Are they able to set the parent of pages they don't own?

comment:2 knutsp17 months ago

  • Cc knut@… added

Private pages are not the same as own pages. By "own" I mean pages with the actual user as author. "Private" is an attribute for "published" posts and pages that limits their visibilty to users with the read_private_pages or read_private_posts capabilities.

A user who should only have access to edit own pages should have the edit_pages capability, but not the edit_others_pages capability, and perhaps also not the read_private_posts cabability.

Last edited 17 months ago by knutsp (previous) (diff)

comment:3 kalor17 months ago

I've checked it. My user has such capabilities on:

delete_pages,
delete_published_pages,
edit_pages,
edit_published_pages,
publish_pages,
read,

rest is off.

I can still create new page and mark it as a child of every published page.

comment:4 scribu17 months ago

  • Keywords 2nd-opinion added

Yes, that's the expected behaviour. What you're asking is for WP to check that the parent page can also be edited by the user.

Note that, if we did this, we'd have to do something similar for parent-child categories.

comment:5 knutsp17 months ago

I think this behaviour is as expected. Setting a page as a child of another does not change the parent in any way. Creating a page might also create a menu item on front, but setting it as a sub-page makes it less prominent than for a top-level page.

If a user should not be allowed to publish a page as a sub-page of another, then the user should not have the capability to publish a page in the first place. Publishing is publishing.

To protect the front navigation menus, one should use the menu system without automatically adding new pages to any in use on the front.

comment:6 kalor17 months ago

I understood the idea, thank you knutsp.

IMHO I, as a administrator, should somehow prevent such sittuation, that users can do a mess with the pages structure. Even 5 users can create very big structure of pages with the same names - that's very easy way to make a mistake then.

Limiting the users to add sub-pages only to their own pages (and especially limiting the visibility of whole structure in "page attributes" menu during creation of new page) will give oportunity, to create almost individual set of pages for every user.

With such limitation it will be possible to build simple individual pages for every user without Multisite instalation, and base on roles and capabilities only (in template: posts limited by loop attributes, pages limited to user pages, menu build from pages structure; in admin: acces to own posts, access to own pages, structurize own pages only).

So IMHO it's good point to think about additional role capability that will allow or disallow creating the pages structure with other users pages.

comment:7 knutsp17 months ago

  • Keywords close added

The idea is excellent, but clearly plugin territory. It might be a lot of other implications when wanting each user to have their own, separate page hierarchy, and not be able connect them to others pages. It's outside of what WordPress core should provide and maintain, as this is a special usage of WordPress. Through plugins WordPress is great for almost anything you desire, this idea included.

If new hooks are needed for such a plugin to work, create a ticket for that, I suggest.

comment:8 kalor17 months ago

I was looking for possibility for such change, and plugin is the easiest way.

Thank you all for support.

Ticket to close.

comment:9 knutsp17 months ago

  • Component changed from Administration to Role/Capability
  • Keywords 2nd-opinion close removed
  • Resolution set to wontfix
  • Status changed from new to closed

comment:10 helenyhou17 months ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.