WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 2 years ago

#28821 new defect (bug)

Admin page registered with add_menu_page() allows access through wrong URls and hightlights wrong top level menu item

Reported by: F J Kaiser Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.9.1
Component: Administration Keywords: dev-feedback has-patch needs-testing
Focuses: administration Cc:

Description

Steps to reproduce:

  • Add a top level admin menu page (with the plugin provided below).
  • Access the new top level admin menu via the menu item (bottom of menu)
  • Try to access it via one of the following URLs
http://example.com/wp-admin/options-general.php?page=trac
http://example.com/wp-admin/tools.php?page=trac
http://example.com/wp-admin/admin.php?page=trac
http://example.com/wp-admin/edit-comments.php?page=trac
http://example.com/wp-admin/edit.php?post_type=page&page=trac
http://example.com/wp-admin/upload.php?page=trac
http://example.com/wp-admin/edit.php?page=trac
http://example.com/wp-admin/index.php?page=trac
... etc ...
// Sub menu items that have the same behavior
http://vagrant.local/wp/wp-admin/plugin-install.php?page=trac
http://vagrant.local/wp/wp-admin/themes.php?page=custom-header&page=trac
http://vagrant.local/wp/wp-admin/themes.php?post-new.php?post_type=page&page=trac
... etc ...

Bug description: Every of the above links will (falsely) work and bring you to the registered page. The top level menu item will be hightlighted while the sub menu item does not exist.

The following URls will work (with above bug) as well, but not highlight any menu item:

http://example.com/wp-admin/edit-tags.php?taxonomy=post_tag&page=trac
http://example.com/wp-admin/edit-tags.php?taxonomy=category&page=trac

I would not really consider this a "feature".


Test Plugin

<?php
/** Plugin Name: (Trac) Add Top Level Test Menu Page */
add_action( 'admin_menu', function()
{
	add_menu_page(
		'Hello Trac',
		'Trac',
		'manage_options',
		'trac',
		function()
		{
			?>
			<h1>Hello Trac!</h1>
			<?php settings_errors(); ?>
			<form action="options.php" method="post">
				<label for="trac">Enter Trac ID</label>
				<input type="text" name="trac" />
			</form>
			<?php
		}
	);
} );

Attachments (1)

28821.diff (1003 bytes) - added by swissspidy 2 years ago.

Download all attachments as: .zip

Change History (9)

#1 @OriginalEXE
4 years ago

  • Keywords 2nd-opinion added

Just tested this and I can confirm this behaviour. This should definitely be classified as a bug, makes no sense.

#2 @chriscct7
3 years ago

  • Keywords dev-feedback added; 2nd-opinion removed

Still can replicate this but I'm not convinced this isn't by design

#3 @F J Kaiser
3 years ago

@chriscct7 In case you call a bug: "design".

#4 follow-up: @chriscct7
3 years ago

I don't think it's a bug actually. The page query arg is used to override the the page being output in certain places in core, as a design. For example, prior to the customizer being included, the setting for custom header was on wp-admin/themes.php?page=custom-header where the page parameter is used to override themes.php from loading and load custom-header.php instead

#5 in reply to: ↑ 4 @F J Kaiser
3 years ago

Replying to chriscct7:

[…] The page query arg is used to override the the page being output in certain places in core, as a design […]

The bug regarding highlighting still is a bug.

Bug description: Every of the above links will (falsely) work and bring you to the registered page. The top level menu item will be hightlighted while the sub menu item does not exist.

@swissspidy
2 years ago

#6 @swissspidy
2 years ago

  • Keywords has-patch needs-testing added
  • Milestone changed from Awaiting Review to Future Release

It really feels wrong.

options-general.php?page=123 results in wp_die(), while using page=trac results in the page being displayed.

The attached fixes that by returning early in user_can_access_admin_page() if a top-level page is accessed with the wrong parent.

#7 follow-up: @swissspidy
2 years ago

Some plugins to test this patch with:

https://wordpress.org/plugins/admin-menu-editor/ https://wordpress.org/plugins/admin-menu-manager/ https://wordpress.org/plugins/easy-admin-menu/

Also, would wp-admin/themes.php?page=custom-header still work with this patch applied?

#8 in reply to: ↑ 7 @F J Kaiser
2 years ago

Replying to swissspidy:

Some plugins to test this patch with:

https://wordpress.org/plugins/admin-menu-editor/ https://wordpress.org/plugins/admin-menu-manager/ https://wordpress.org/plugins/easy-admin-menu/

From just looking at the first plugin "admin menu editor" and it's "includes/admin-menu-core.php" file … 3240 lines. I am not willing to take on that one as even searching the entry points and finding out if that plugin even qualifies for that patch would take too long.

Last edited 2 years ago by F J Kaiser (previous) (diff)
Note: See TracTickets for help on using tickets.