Opened 10 years ago
Last modified 5 years ago
#27670 new defect (bug)
Plugin Information tab - inaccesible without install_plugin capability
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.8.1 |
| Component: | Role/Capability | Keywords: | dev-feedback needs-patch |
| Focuses: | administration | Cc: |
Description
Hello,
if I understand it correctly through the Plugin information tab you can also install/update plugins. But if you permit installing plugins with f.e. with add_cap("install_plugins", FALSE) to some user, whole Plugin information tab is unusable for him, so you cant view details, install update even if you are allowed to.
I suppose the problem is in wp-admin/plugin-install.php where is
if ( ! current_user_can('install_plugins') )
wp_die(__('You do not have sufficient permissions to install plugins on this site.'));
so maybe extending the condition above to something like this
if (( ! current_user_can('install_plugins') ) && plugin_not_installed($plugin_name))
could help?
Thanks
Jozef Repáň
Change History (6)
#2
@
10 years ago
Hi krafner,
yes, of course: my colleague meant "prohibit".
I'll sum this up once more, to clarify:
The problem is that, unlike what you are saying, the install_plugins capability is not only for installing new plugins.
It is the exact same capability that is being checked when I want to check the changelog for a plugin that has an update available.
The situation: I have a user (admin) with add_cap("install_plugins", FALSE); and add_cap("update_plugins", true);
This user can update plugins, but cannot see the changelog (the "View version x.x.xx details" pop-in in the "There is a new version of Filled In available. View version x.x.xx details or update now." message that appears under a plugin that has an update available).
The proposed solution is to change the condition to e.g.:
if (( ! current_user_can('install_plugins') ) && plugin_not_installed($plugin_name))
or a combination of install_plugins and update_plugins so that installation of new plugins is prohibited but viewing update information is allowed.
Thanks,
Karol Kosar
#3
@
10 years ago
- Keywords dev-feedback added; reporter-feedback removed
Thanks for the clarification. Now I get it. The problem is that the changelog is inside plugin-install.php which seems to be only meant to be accessible for when you can also install plugins. But I think you are right that this should be changed.
Also I think that the problem doesn't originate from "wp-admin/plugin-install.php" as the message isn't:
"You do not have sufficient permissions to install plugins on this site."
but
"You do not have sufficient permissions to access this page."
Further investigation will be needed...
#5
@
8 years ago
The problem currently is that the plugin information tab is sitting on top of wp-admin/plugin-install.php and therefore "inherits" the requirements for plugin installation. To change this a pretty extensive rewrite of permission checking for wp-admin is necessary which unfortunately I couldn't wrap my hand around yet.
So where we're actually being kicked out is the check with user_can_access_admin_page() at the end of wp-admin/includes/menu.php
#6
@
8 years ago
Hello kraftner,
thank you for your follow up on this.
This is still a problem even in WordPress 4.5.3 - on our sites we allow Administrators to activate, deactivate and update plugins, but we don't allow installing new plugins. So they still have no way of checking the plugin changelogs before applying an update.
Thanks,
Martin
First I think what you actually mean is "But if you prohibit installing plugins with f.e. with add_cap("install_plugins", FALSE) ..." is this correct?
Then "wp-admin/plugin-install.php" is only for installing new plugins which "install_plugins" is the right capability for. "wp-admin/plugins.php" on the other hand only checks for "current_user_can('activate_plugins')" so I think this is all fine.
If not, can you please clarify your issue?