WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 2 years ago

#27670 new defect (bug)

Plugin Information tab - inaccesible without install_plugin capability

Reported by: FolioVision Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.8.1
Component: Role/Capability Keywords: dev-feedback needs-patch
Focuses: administration Cc:

Description

Hello,

if I understand it correctly through the Plugin information tab you can also install/update plugins. But if you permit installing plugins with f.e. with add_cap("install_plugins", FALSE) to some user, whole Plugin information tab is unusable for him, so you cant view details, install update even if you are allowed to.

I suppose the problem is in wp-admin/plugin-install.php where is

if ( ! current_user_can('install_plugins') ) 
	wp_die(__('You do not have sufficient permissions to install plugins on this site.'));

so maybe extending the condition above to something like this

if (( ! current_user_can('install_plugins') ) && plugin_not_installed($plugin_name))

could help?

Thanks Jozef Repáň

Change History (6)

#1 @kraftner
4 years ago

  • Keywords reporter-feedback added

First I think what you actually mean is "But if you prohibit installing plugins with f.e. with add_cap("install_plugins", FALSE) ..." is this correct?

Then "wp-admin/plugin-install.php" is only for installing new plugins which "install_plugins" is the right capability for. "wp-admin/plugins.php" on the other hand only checks for "current_user_can('activate_plugins')" so I think this is all fine.

If not, can you please clarify your issue?

#2 @FolioVision
4 years ago

Hi krafner,

yes, of course: my colleague meant "prohibit".

I'll sum this up once more, to clarify:

The problem is that, unlike what you are saying, the install_plugins capability is not only for installing new plugins.

It is the exact same capability that is being checked when I want to check the changelog for a plugin that has an update available.

The situation: I have a user (admin) with add_cap("install_plugins", FALSE); and add_cap("update_plugins", true);

This user can update plugins, but cannot see the changelog (the "View version x.x.xx details" pop-in in the "There is a new version of Filled In available. View version x.x.xx details or update now." message that appears under a plugin that has an update available).

The proposed solution is to change the condition to e.g.:

if (( ! current_user_can('install_plugins') ) && plugin_not_installed($plugin_name))

or a combination of install_plugins and update_plugins so that installation of new plugins is prohibited but viewing update information is allowed.

Thanks, Karol Kosar

#3 @kraftner
4 years ago

  • Keywords dev-feedback added; reporter-feedback removed

Thanks for the clarification. Now I get it. The problem is that the changelog is inside plugin-install.php which seems to be only meant to be accessible for when you can also install plugins. But I think you are right that this should be changed.

Also I think that the problem doesn't originate from "wp-admin/plugin-install.php" as the message isn't:

"You do not have sufficient permissions to install plugins on this site." but "You do not have sufficient permissions to access this page."

Further investigation will be needed...

#4 @chriscct7
3 years ago

  • Keywords needs-patch added

#5 @kraftner
2 years ago

The problem currently is that the plugin information tab is sitting on top of wp-admin/plugin-install.php and therefore "inherits" the requirements for plugin installation. To change this a pretty extensive rewrite of permission checking for wp-admin is necessary which unfortunately I couldn't wrap my hand around yet. So where we're actually being kicked out is the check with user_can_access_admin_page() at the end of wp-admin/includes/menu.php

Last edited 2 years ago by kraftner (previous) (diff)

#6 @FolioVision
2 years ago

Hello kraftner,

thank you for your follow up on this.

This is still a problem even in WordPress 4.5.3 - on our sites we allow Administrators to activate, deactivate and update plugins, but we don't allow installing new plugins. So they still have no way of checking the plugin changelogs before applying an update.

Thanks, Martin

Note: See TracTickets for help on using tickets.