WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#26574 closed defect (bug) (fixed)

Dashboard shows inaccessible links for Authors and Contributors

Reported by: johnbillion Owned by: johnbillion
Milestone: 3.8.1 Priority: low
Severity: minor Version: 3.8
Component: Administration Keywords: has-patch commit fixed-major
Focuses: Cc:

Description

The "At a Glance" dashboard widget show "X Posts", "X Pages" and "X Comments" with links to the corresponding listing screens, but there are no capability checks in place when the links are output. This means Author level users see a link to the Pages screen that they don't have access to, and Contributors see a link to the Posts, Comments and Pages screens, none of which they have access to.

In 3.7 and earlier, if the user didn't have the capability to edit the object then the text was shown without a link.

Previously: #26495, #25824

Attachments (1)

26574.diff (2.2 KB) - added by mattheu 5 years ago.

Download all attachments as: .zip

Change History (15)

#1 @johnbillion
5 years ago

Note that the CSS for the icons on these links relies on there being an a tag present. That'll need changing too.

#2 @johnbillion
5 years ago

Actually we might as well just not show the items that the user cannot edit.

#3 @SergeyBiryukov
5 years ago

  • Milestone changed from Awaiting Review to 3.8.1

#4 @toscho
5 years ago

  • Cc info@… added

@mattheu
5 years ago

#5 @mattheu
5 years ago

Patch added

#6 @mattheu
5 years ago

  • Keywords has-patch added

#7 @helen
5 years ago

What are we thinking here? Unlinked text (as previously) or just hide the item altogether?

#8 follow-up: @johnbillion
5 years ago

Hide them I think. Not a lot of value in displaying the count for something the user can't access.

#9 in reply to: ↑ 8 @nacin
5 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

Replying to johnbillion:

Hide them I think. Not a lot of value in displaying the count for something the user can't access.

While there's nothing wrong with hiding them, I wonder if there will be much for low-level users to be able to get a "glance" of.

At the same time, one could argue there's not a whole lot of value for displaying many of these counts to anyone, which is partially why there are less numbers just randomly tossed onto the dashboard now.

Let's remove them for now (and for 3.8.1), to remove the broken links. But worth future consideration.

johnbillion, up for running with this?

This ticket was mentioned in IRC in #wordpress-dev by helen. View the logs.


5 years ago

#11 @nacin
5 years ago

In 26999:

Dashboard widgets: Don't link to Pages or Posts for Authors or Contributors respectively.

props mattheu.
see #26574 for trunk.

#12 @nacin
5 years ago

  • Keywords commit fixed-major added

#13 @nacin
5 years ago

[26999] seemed like the best compromise for the 3.8 branch, given it keeps the UI change small, and also is a bit more consistent with 3.7.

#14 @nacin
5 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 27001:

Dashboard widgets: Don't link to Pages or Posts for Authors or Contributors respectively.

Merges [26999] to the 3.8 branch.

props mattheu.
fixes #26574.

Note: See TracTickets for help on using tickets.