#29236 closed defect (bug) (fixed)
install_plugins_tabs cannot filter the "upload" tab anymore
Reported by: | juliobox | Owned by: | nacin |
---|---|---|---|
Milestone: | 4.0 | Priority: | normal |
Severity: | normal | Version: | 4.0 |
Component: | Plugins | Keywords: | has-patch |
Focuses: | Cc: |
Description
Hello
From 2.8 to 3.9.2 we could filter the tabs with the "install_plugins_tabs" filter.
I've got a little muplugin that removes the "upload" tab (because you know, clients...)
So, since 4.0-b4 the filter "install_plugins_tabs" doesn't contain the "upload" tab anymore, this is a regression i guess :/
Also a new button is added, with no filter. We need one like before.
Patch added.
TY
Attachments (2)
Change History (16)
#2
@
10 years ago
Simply filtering install_plugins_tabs to remove 'upload' didn't actually block uploads.
#3
@
10 years ago
Hello
Thank you Sergey.
hi Andrew, i'm aware of this (as a Web Security Consultant). My entire little script also contains this :
if( isset( $_FILES['pluginzip'] ) || isset( $_FILES['themezip'] ) ) die( 'You are not allowed to to that.' );
So, i guess it's enought to avoid a plugin/theme to be added by zip.
See you soon
#4
@
10 years ago
I was able to replicate the original issue, there is no 'upload' in the $tabs array passed into the install_plugins_tabs filter.
Applied 29236.patch to wp-admin/plugin-install.php
Now the only tab I see is an 'Upload Plugin' tab, the Newest, Featured, Popular, etc. are all gone. This is without adding the filter in my functions.php.
Attaching screenshot.
#5
@
10 years ago
Doesn't work for me, either. I think this patch is overriding the global $tabs defined in WP_Plugin_Install_List_Table.
It looks like the 'upload' tab is currently contained in $nonmenu_tabs which is filtered by 'install_plugins_nonmenu_tabs'.
So, maybe what we want to do here is to test whether upload still exists after being filtered by 'install_plugins_nonmenu_tabs'? Or check for it in the combination of menu+nonmenu tabs?
Or maybe we could give the list table a method that would enable us to know which tabs it supports?
#6
@
10 years ago
- Milestone 4.0 deleted
- Resolution set to wontfix
- Status changed from new to closed
Upload was purposefully moved to the header and removed from the bar. I am not particularly concerned about doing back-compat for this filter given that just hiding it did not actually disable the upload. The filter name would also make no sense given that it's not a "tab" context. Would advise that you hide the upload link with CSS going forward, as well as doing something to actually block the upload (such as the reporter is doing).
#7
@
10 years ago
Ok, i'll use CSS to hide it and always use as well the real "blocker script" reading the $_FILES global var.
Thank you all :)
#8
follow-up:
↓ 9
@
10 years ago
I forgot to tell that in the themes page, the filter is still there, so we can hide the "upload theme" button using it, why not on plugins page anymore?
#9
in reply to:
↑ 8
@
10 years ago
Replying to juliobox:
I forgot to tell that in the themes page, the filter is still there, so we can hide the "upload theme" button using it, why not on plugins page anymore?
The filter there has no impact on the upload button on the theme-install page.
#11
@
10 years ago
- Milestone set to 4.0
Per [29002] and #28578, I'm fixing this. This is actually really easy to handle, and I'm going to tweak [29002] in the process too, as well as bring more UI uniformity to the plugin and theme installers, and add two new capabilities (upload_plugins and upload_themes) to allow someone to actually deny the ability to upload plugins or themes the "right" way.
Upload tab is back