Make WordPress Core

Opened 11 years ago

Closed 10 years ago

#26574 closed defect (bug) (fixed)

Dashboard shows inaccessible links for Authors and Contributors

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 3.8.1 Priority: low
Severity: minor Version: 3.8
Component: Administration Keywords: has-patch commit fixed-major
Focuses: Cc:

Description

The "At a Glance" dashboard widget show "X Posts", "X Pages" and "X Comments" with links to the corresponding listing screens, but there are no capability checks in place when the links are output. This means Author level users see a link to the Pages screen that they don't have access to, and Contributors see a link to the Posts, Comments and Pages screens, none of which they have access to.

In 3.7 and earlier, if the user didn't have the capability to edit the object then the text was shown without a link.

Previously: #26495, #25824

Attachments (1)

26574.diff (2.2 KB) - added by mattheu 11 years ago.

Download all attachments as: .zip

Change History (15)

#1 @johnbillion
11 years ago

Note that the CSS for the icons on these links relies on there being an a tag present. That'll need changing too.

#2 @johnbillion
11 years ago

Actually we might as well just not show the items that the user cannot edit.

#3 @SergeyBiryukov
11 years ago

  • Milestone changed from Awaiting Review to 3.8.1

#4 @toscho
11 years ago

  • Cc info@… added

@mattheu
11 years ago

#5 @mattheu
11 years ago

Patch added

#6 @mattheu
11 years ago

  • Keywords has-patch added

#7 @helen
11 years ago

What are we thinking here? Unlinked text (as previously) or just hide the item altogether?

#8 follow-up: @johnbillion
11 years ago

Hide them I think. Not a lot of value in displaying the count for something the user can't access.

#9 in reply to: ↑ 8 @nacin
11 years ago

  • Owner set to johnbillion
  • Status changed from new to assigned

Replying to johnbillion:

Hide them I think. Not a lot of value in displaying the count for something the user can't access.

While there's nothing wrong with hiding them, I wonder if there will be much for low-level users to be able to get a "glance" of.

At the same time, one could argue there's not a whole lot of value for displaying many of these counts to anyone, which is partially why there are less numbers just randomly tossed onto the dashboard now.

Let's remove them for now (and for 3.8.1), to remove the broken links. But worth future consideration.

johnbillion, up for running with this?

This ticket was mentioned in IRC in #wordpress-dev by helen. View the logs.


10 years ago

#11 @nacin
10 years ago

In 26999:

Dashboard widgets: Don't link to Pages or Posts for Authors or Contributors respectively.

props mattheu.
see #26574 for trunk.

#12 @nacin
10 years ago

  • Keywords commit fixed-major added

#13 @nacin
10 years ago

[26999] seemed like the best compromise for the 3.8 branch, given it keeps the UI change small, and also is a bit more consistent with 3.7.

#14 @nacin
10 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 27001:

Dashboard widgets: Don't link to Pages or Posts for Authors or Contributors respectively.

Merges [26999] to the 3.8 branch.

props mattheu.
fixes #26574.

Note: See TracTickets for help on using tickets.