Opened 10 years ago
Last modified 6 years ago
#28821 new defect (bug)
Admin page registered with add_menu_page() allows access through wrong URls and hightlights wrong top level menu item
Reported by: | F J Kaiser | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.9.1 |
Component: | Administration | Keywords: | dev-feedback has-patch needs-testing |
Focuses: | administration | Cc: |
Description
Steps to reproduce:
- Add a top level admin menu page (with the plugin provided below).
- Access the new top level admin menu via the menu item (bottom of menu)
- Try to access it via one of the following URLs
http://example.com/wp-admin/options-general.php?page=trac http://example.com/wp-admin/tools.php?page=trac http://example.com/wp-admin/admin.php?page=trac http://example.com/wp-admin/edit-comments.php?page=trac http://example.com/wp-admin/edit.php?post_type=page&page=trac http://example.com/wp-admin/upload.php?page=trac http://example.com/wp-admin/edit.php?page=trac http://example.com/wp-admin/index.php?page=trac ... etc ... // Sub menu items that have the same behavior http://vagrant.local/wp/wp-admin/plugin-install.php?page=trac http://vagrant.local/wp/wp-admin/themes.php?page=custom-header&page=trac http://vagrant.local/wp/wp-admin/themes.php?post-new.php?post_type=page&page=trac ... etc ...
Bug description: Every of the above links will (falsely) work and bring you to the registered page. The top level menu item will be hightlighted while the sub menu item does not exist.
The following URls will work (with above bug) as well, but not highlight any menu item:
http://example.com/wp-admin/edit-tags.php?taxonomy=post_tag&page=trac http://example.com/wp-admin/edit-tags.php?taxonomy=category&page=trac
I would not really consider this a "feature".
Test Plugin
<?php /** Plugin Name: (Trac) Add Top Level Test Menu Page */ add_action( 'admin_menu', function() { add_menu_page( 'Hello Trac', 'Trac', 'manage_options', 'trac', function() { ?> <h1>Hello Trac!</h1> <?php settings_errors(); ?> <form action="options.php" method="post"> <label for="trac">Enter Trac ID</label> <input type="text" name="trac" /> </form> <?php } ); } );
Attachments (1)
Change History (9)
#2
@
9 years ago
- Keywords dev-feedback added; 2nd-opinion removed
Still can replicate this but I'm not convinced this isn't by design
#4
follow-up:
↓ 5
@
9 years ago
I don't think it's a bug actually. The page query arg is used to override the the page being output in certain places in core, as a design. For example, prior to the customizer being included, the setting for custom header was on wp-admin/themes.php?page=custom-header where the page parameter is used to override themes.php from loading and load custom-header.php instead
#5
in reply to:
↑ 4
@
9 years ago
Replying to chriscct7:
[…] The page query arg is used to override the the page being output in certain places in core, as a design […]
The bug regarding highlighting still is a bug.
Bug description: Every of the above links will (falsely) work and bring you to the registered page. The top level menu item will be hightlighted while the sub menu item does not exist.
#6
@
9 years ago
- Keywords has-patch needs-testing added
- Milestone changed from Awaiting Review to Future Release
It really feels wrong.
options-general.php?page=123
results in wp_die()
, while using page=trac
results in the page being displayed.
The attached fixes that by returning early in user_can_access_admin_page()
if a top-level page is accessed with the wrong parent.
#7
follow-up:
↓ 8
@
9 years ago
Some plugins to test this patch with:
https://wordpress.org/plugins/admin-menu-editor/
https://wordpress.org/plugins/admin-menu-manager/
https://wordpress.org/plugins/easy-admin-menu/
Also, would wp-admin/themes.php?page=custom-header
still work with this patch applied?
#8
in reply to:
↑ 7
@
9 years ago
Replying to swissspidy:
Some plugins to test this patch with:
https://wordpress.org/plugins/admin-menu-editor/
https://wordpress.org/plugins/admin-menu-manager/
https://wordpress.org/plugins/easy-admin-menu/
From just looking at the first plugin "admin menu editor" and it's "includes/admin-menu-core.php" file … 3240 lines. I am not willing to take on that one as even searching the entry points and finding out if that plugin even qualifies for that patch would take too long.
Just tested this and I can confirm this behaviour. This should definitely be classified as a bug, makes no sense.