WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#29236 closed defect (bug) (fixed)

install_plugins_tabs cannot filter the "upload" tab anymore

Reported by: juliobox Owned by: nacin
Milestone: 4.0 Priority: normal
Severity: normal Version: 4.0
Component: Plugins Keywords: has-patch
Focuses: Cc:

Description

Hello

From 2.8 to 3.9.2 we could filter the tabs with the "install_plugins_tabs" filter.
I've got a little muplugin that removes the "upload" tab (because you know, clients...)

So, since 4.0-b4 the filter "install_plugins_tabs" doesn't contain the "upload" tab anymore, this is a regression i guess :/

Also a new button is added, with no filter. We need one like before.

Patch added.

TY

Attachments (2)

29236.patch (1000 bytes) - added by juliobox 5 years ago.
Upload tab is back
29236-only upload tab showing.png (105.3 KB) - added by shooper 5 years ago.

Download all attachments as: .zip

Change History (16)

@juliobox
5 years ago

Upload tab is back

#1 @SergeyBiryukov
5 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 4.0

#2 @nacin
5 years ago

Simply filtering install_plugins_tabs to remove 'upload' didn't actually block uploads.

#3 @juliobox
5 years ago

Hello

Thank you Sergey.

hi Andrew, i'm aware of this (as a Web Security Consultant). My entire little script also contains this :

if( isset( $_FILES['pluginzip'] ) || isset( $_FILES['themezip'] ) )
	die( 'You are not allowed to to that.' );

So, i guess it's enought to avoid a plugin/theme to be added by zip.

See you soon

#4 @shooper
5 years ago

I was able to replicate the original issue, there is no 'upload' in the $tabs array passed into the install_plugins_tabs filter.

Applied 29236.patch to wp-admin/plugin-install.php

Now the only tab I see is an 'Upload Plugin' tab, the Newest, Featured, Popular, etc. are all gone. This is without adding the filter in my functions.php.

Attaching screenshot.

#5 @mpatek
5 years ago

Doesn't work for me, either. I think this patch is overriding the global $tabs defined in WP_Plugin_Install_List_Table.

It looks like the 'upload' tab is currently contained in $nonmenu_tabs which is filtered by 'install_plugins_nonmenu_tabs'.

So, maybe what we want to do here is to test whether upload still exists after being filtered by 'install_plugins_nonmenu_tabs'? Or check for it in the combination of menu+nonmenu tabs?

Or maybe we could give the list table a method that would enable us to know which tabs it supports?

#6 @helen
5 years ago

  • Milestone 4.0 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Upload was purposefully moved to the header and removed from the bar. I am not particularly concerned about doing back-compat for this filter given that just hiding it did not actually disable the upload. The filter name would also make no sense given that it's not a "tab" context. Would advise that you hide the upload link with CSS going forward, as well as doing something to actually block the upload (such as the reporter is doing).

#7 @juliobox
5 years ago

Ok, i'll use CSS to hide it and always use as well the real "blocker script" reading the $_FILES global var.
Thank you all :)

#8 follow-up: @juliobox
5 years ago

I forgot to tell that in the themes page, the filter is still there, so we can hide the "upload theme" button using it, why not on plugins page anymore?

#9 in reply to: ↑ 8 @nacin
5 years ago

Replying to juliobox:

I forgot to tell that in the themes page, the filter is still there, so we can hide the "upload theme" button using it, why not on plugins page anymore?

The filter there has no impact on the upload button on the theme-install page.

#10 @nacin
5 years ago

I stand corrected, but the way it was implemented was pretty bad.

#11 @nacin
5 years ago

  • Milestone set to 4.0

Per [29002] and #28578, I'm fixing this. This is actually really easy to handle, and I'm going to tweak [29002] in the process too, as well as bring more UI uniformity to the plugin and theme installers, and add two new capabilities (upload_plugins and upload_themes) to allow someone to actually deny the ability to upload plugins or themes the "right" way.

#12 @nacin
5 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

#13 @nacin
5 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from reopened to closed

In 29634:

Plugin/Theme Uploads: New capabilities; unify UIs; ensure compatibility with old filters.

Introduce upload_plugins and upload_themes capabilities to allow blocking of plugin and theme uploads, versus the old hacky (and not secure) ways of just hiding UI tabs. These are simply meta capabilities that map to install_plugins and install_themes.

Also:

  • Use the same nice design for the plugin upload screen as the theme upload screen.
  • Better compatibility for the old install_themes_tabs filter added in [29002]. see #28578.
  • Ensure using the install_plugins_tabs filter to remove the upload tab removes the new button.
  • Use 'Add Plugins' instead of 'Install Plugins' to match 'Add Themes'.

fixes #29236.

#14 @nacin
5 years ago

In 29637:

Adjust [29634] so the Upload Plugin button can be shown. see #29236.

Note: See TracTickets for help on using tickets.