WordPress.org

Make WordPress Core

Opened 16 months ago

Last modified 4 months ago

#22895 new defect (bug)

user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages

Reported by: kevinB Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.5
Component: Role/Capability Keywords: has-patch needs-testing 3.7-early
Focuses: Cc:

Description

Utilization of the new separation edit_posts /create_posts capability separation reveals a flaw in admin menu privilege checking.

The issue occurs when:

  1. For any post type other the "post", the user has $type->cap->edit_posts but not $type->cap->create_posts
  1. User also does not have a manage_terms capability for any associated taxonomies

In that situation, access to "edit.php?post_type=whatever" fails unless the user has the "edit_posts" cap for the "post" type.

This occurs because:

  1. wp-admin/includes/menu.php removes solitary submenus that have the same destination as the parent
  1. get_admin_page_parent() returns nullstring if there is no $submenu item
  1. user_can_access_admin_page() performs a type-sensitive capability check only if get_admin_page_parent() returns an existing $submenu key.

For now, my plugin workaround is to hook into 'admin_menu' and add a dummy submenu with nullstring caption.

Attachments (1)

22895.diff (645 bytes) - added by nacin 16 months ago.

Download all attachments as: .zip

Change History (17)

comment:1 kevinB16 months ago

  • Summary changed from user_can_admin_menu() is Type-Insensitive for Users who can't create pages to user_can_admin_menu() is Type-Insensitive for Users who Can't Create Pages

comment:2 nacin16 months ago

  • Milestone changed from Awaiting Review to 3.5.1

comment:3 kevinB16 months ago

This will be obvious to some, but note that this issue only occurs when:

  • $type_obj->cap->create_posts is defined to != $type_obj->cap->edit_posts
Last edited 16 months ago by kevinB (previous) (diff)

comment:4 johnbillion16 months ago

  • Cc johnbillion added

comment:5 georgestephanis16 months ago

Blocking off some time on Saturday to wrangle this if noone else beats me to it.

comment:6 georgestephanis16 months ago

I'm trying to get the capabilities set up properly on a post type to duplicate this ... any chance you can paste me your register_post_type capabilities that you're using?

nacin16 months ago

comment:8 follow-up: nacin16 months ago

  • Milestone changed from 3.5.1 to 3.6

22895.diff is a hack that allows user_can_access_admin_page() to respect edit.php?post_type= pages. It still does not respect edit-tags.php?taxonomy= pages, though, and neither does get_admin_page_parent(). Overall, the whole thing is a mess and needs to be rewritten. Fun. Even #12718 only touches the API, rather than the inner guts...

Since this is a new feature, and I'm not really sure of the possible breakage that could be caused by 22895.diff (one problem with the admin menu code is it is completely unmaintainable), I'm going to move this ticket to 3.6. So, 3.5 has create_posts with a caveat: It only works if the user has edit_posts, such as when the post type leverages edit_posts (like attachments do). Not the best, but also not something to go messing with a point release. Think of it as version 0.1.

comment:9 DrewAPicture11 months ago

  • Keywords has-patch needs-testing added

comment:10 nacin9 months ago

  • Keywords 3.7-early added
  • Milestone changed from 3.6 to Future Release

comment:11 wonderboymusic9 months ago

  • Milestone changed from Future Release to 3.7

these are all marked 3.7-early

comment:12 in reply to: ↑ 8 ; follow-up: johnbillion7 months ago

Replying to nacin:

So, 3.5 has create_posts with a caveat: It only works if the user has edit_posts, such as when the post type leverages edit_posts (like attachments do).

I've just run into this problem. A user who doesn't have the create_posts capability for a custom post type can't see the edit menu for that post type unless they also have the general edit_posts capability. This is caused by $parent in user_can_access_admin_page() being empty when it shouldn't.

comment:13 in reply to: ↑ 12 nacin7 months ago

Replying to johnbillion:

I've just run into this problem. A user who doesn't have the create_posts capability for a custom post type can't see the edit menu for that post type unless they also have the general edit_posts capability. This is caused by $parent in user_can_access_admin_page() being empty when it shouldn't.

So 22895.diff would be the wrong fix? Patch welcome for sure.

comment:14 johnbillion7 months ago

At the moment, I'm not sure. I'll find some time to look at it.

comment:15 nacin6 months ago

  • Milestone changed from 3.7 to 3.8

comment:16 nacin4 months ago

  • Milestone changed from 3.8 to Future Release

Still unsure what the right fix is.

Note: See TracTickets for help on using tickets.