WordPress.org
Get WordPress

Make WordPress Core

Opened 12 years ago

Last modified 6 weeks ago

#28821 new defect (bug)

Admin page registered with add_menu_page() allows access through wrong URls and hightlights wrong top level menu item

Reported by: f-j-kaiser's profile F J Kaiser Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.9.1
Component: Administration Keywords: has-patch
Focuses: administration Cc:

Description

Steps to reproduce:

  • Add a top level admin menu page (with the plugin provided below).
  • Access the new top level admin menu via the menu item (bottom of menu)
  • Try to access it via one of the following URLs 
http://example.com/wp-admin/options-general.php?page=trac
http://example.com/wp-admin/tools.php?page=trac
http://example.com/wp-admin/admin.php?page=trac
http://example.com/wp-admin/edit-comments.php?page=trac
http://example.com/wp-admin/edit.php?post_type=page&page=trac
http://example.com/wp-admin/upload.php?page=trac
http://example.com/wp-admin/edit.php?page=trac
http://example.com/wp-admin/index.php?page=trac
... etc ...
// Sub menu items that have the same behavior
http://vagrant.local/wp/wp-admin/plugin-install.php?page=trac
http://vagrant.local/wp/wp-admin/themes.php?page=custom-header&page=trac
http://vagrant.local/wp/wp-admin/themes.php?post-new.php?post_type=page&page=trac
... etc ...

Bug description: Every of the above links will (falsely) work and bring you to the registered page. The top level menu item will be hightlighted while the sub menu item does not exist.

The following URls will work (with above bug) as well, but not highlight any menu item:

http://example.com/wp-admin/edit-tags.php?taxonomy=post_tag&page=trac
http://example.com/wp-admin/edit-tags.php?taxonomy=category&page=trac

I would not really consider this a "feature".

Test Plugin

<?php
/** Plugin Name: (Trac) Add Top Level Test Menu Page */
add_action( 'admin_menu', function()
{
	add_menu_page(
		'Hello Trac',
		'Trac',
		'manage_options',
		'trac',
		function()
		{
			?>
			<h1>Hello Trac!</h1>
			<?php settings_errors(); ?>
			<form action="options.php" method="post">
				<label for="trac">Enter Trac ID</label>
				<input type="text" name="trac" />
			</form>
			<?php
		}
	);
} );

Attachments (1)

28821.diff (1003 bytes) - added by swissspidy 10 years ago.

Download all attachments as: .zip

Change History (13)

#1 @OriginalEXE
11 years ago

  • Keywords 2nd-opinion added

Just tested this and I can confirm this behaviour. This should definitely be classified as a bug, makes no sense.

#2 @chriscct7
10 years ago

  • Keywords dev-feedback added; 2nd-opinion removed

Still can replicate this but I'm not convinced this isn't by design

#3 @F J Kaiser
10 years ago

@chriscct7 In case you call a bug: "design".

#4 follow-up: @chriscct7
10 years ago

I don't think it's a bug actually. The page query arg is used to override the the page being output in certain places in core, as a design. For example, prior to the customizer being included, the setting for custom header was on wp-admin/themes.php?page=custom-header where the page parameter is used to override themes.php from loading and load custom-header.php instead

#5 in reply to: ↑ 4 @F J Kaiser
10 years ago

Replying to chriscct7:

[…] The page query arg is used to override the the page being output in certain places in core, as a design […]

The bug regarding highlighting still is a bug.

Bug description: Every of the above links will (falsely) work and bring you to the registered page. The top level menu item will be hightlighted while the sub menu item does not exist.

@swissspidy
10 years ago

#6 @swissspidy
10 years ago

  • Keywords has-patch needs-testing added
  • Milestone changed from Awaiting Review to Future Release

It really feels wrong.

options-general.php?page=123 results in wp_die(), while using page=trac results in the page being displayed.

The attached fixes that by returning early in user_can_access_admin_page() if a top-level page is accessed with the wrong parent.

#7 follow-up: @swissspidy
10 years ago

Some plugins to test this patch with:

https://wordpress.org/plugins/admin-menu-editor/
https://wordpress.org/plugins/admin-menu-manager/
https://wordpress.org/plugins/easy-admin-menu/

Also, would wp-admin/themes.php?page=custom-header still work with this patch applied?

#8 in reply to: ↑ 7 @F J Kaiser
10 years ago

Replying to swissspidy:

Some plugins to test this patch with:

https://wordpress.org/plugins/admin-menu-editor/
https://wordpress.org/plugins/admin-menu-manager/
https://wordpress.org/plugins/easy-admin-menu/

From just looking at the first plugin "admin menu editor" and it's "includes/admin-menu-core.php" file … 3240 lines. I am not willing to take on that one as even searching the entry points and finding out if that plugin even qualifies for that patch would take too long.

Last edited 10 years ago by F J Kaiser (previous) (diff)

#9 @SirLouen
8 months ago

  • Keywords dev-feedback removed

This ticket was mentioned in Slack in #core-test by oglekler. View the logs.
6 months ago

This ticket was mentioned in PR #10801 on WordPress/wordpress-develop by @nikunj8866.
6 weeks ago #11

Refreshing 28821.diff for Testing and Review Purposes

Trac ticket: https://core.trac.wordpress.org/ticket/28821

#12 @huzaifaalmesbah
6 weeks ago

  • Keywords needs-testing removed

Patch Testing Report

Patch Tested: https://github.com/WordPress/wordpress-develop/pull/10801

Environment

  • WordPress: 7.0-alpha-61215-src
  • PHP: 8.2.29
  • Server: nginx/1.29.4
  • Database: mysqli (Server: 8.4.7 / Client: mysqlnd 8.2.29)
  • Browser: Chrome 143.0.0.0
  • OS: macOS
  • Theme: Twenty Twenty-Two 2.1
  • MU Plugins: None activated
  • Plugins:
    • (Trac) Add Top Level Test Menu Page
    • Test Reports 1.2.1

Steps taken

  1. Activated the (Trac) Add Top Level Test Menu Page plugin.
  2. Logged into the WordPress admin dashboard.
  3. Opened the Trac top-level admin menu and confirmed the page loads correctly.
  4. Attempted to access the page using unrelated admin URLs with the page=trac query parameter (e.g. options-general.php, tools.php, edit.php, upload.php, index.php).
  5. Observed that the admin page is accessible via those unrelated URLs and causes incorrect or missing menu highlighting.
  6. Applied the fix from the linked patch.
  7. Re-tested access using the same unrelated admin URLs.
  8. Confirmed that the admin page is no longer accessible via unrelated URLs and menu highlighting behaves correctly.
  1. ✅ Patch is solving the problem

Expected result

  • Admin pages registered using add_menu_page() should only be accessible through their registered admin URL.
  • Unrelated admin URLs with the same page parameter should not load the page.
  • Admin menu highlighting should always reflect the correct active menu item.

Screenshots/Screencast with results

Support Content

  • Test plugin: (Trac) Add Top Level Test Menu Page 
<?php
/** Plugin Name: (Trac) Add Top Level Test Menu Page */
add_action( 'admin_menu', function()
{
	add_menu_page(
		'Hello Trac',
		'Trac',
		'manage_options',
		'trac',
		function()
		{
			?>
			<h1>Hello Trac!</h1>
			<?php settings_errors(); ?>
			<form action="options.php" method="post">
				<label for="trac">Enter Trac ID</label>
				<input type="text" name="trac" />
			</form>
			<?php
		}
	);
} );
Note: See TracTickets for help on using tickets.