Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#29236 closed defect (bug) (fixed)

install_plugins_tabs cannot filter the "upload" tab anymore

Reported by: juliobox's profile juliobox Owned by: nacin's profile nacin
Milestone: 4.0 Priority: normal
Severity: normal Version: 4.0
Component: Plugins Keywords: has-patch
Focuses: Cc:



From 2.8 to 3.9.2 we could filter the tabs with the "install_plugins_tabs" filter.
I've got a little muplugin that removes the "upload" tab (because you know, clients...)

So, since 4.0-b4 the filter "install_plugins_tabs" doesn't contain the "upload" tab anymore, this is a regression i guess :/

Also a new button is added, with no filter. We need one like before.

Patch added.


Attachments (2)

29236.patch (1000 bytes) - added by juliobox 10 years ago.
Upload tab is back
29236-only upload tab showing.png (105.3 KB) - added by shooper 10 years ago.

Download all attachments as: .zip

Change History (16)

10 years ago

Upload tab is back

#1 @SergeyBiryukov
10 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 4.0

#2 @nacin
10 years ago

Simply filtering install_plugins_tabs to remove 'upload' didn't actually block uploads.

#3 @juliobox
10 years ago


Thank you Sergey.

hi Andrew, i'm aware of this (as a Web Security Consultant). My entire little script also contains this :

if( isset( $_FILES['pluginzip'] ) || isset( $_FILES['themezip'] ) )
	die( 'You are not allowed to to that.' );

So, i guess it's enought to avoid a plugin/theme to be added by zip.

See you soon

#4 @shooper
10 years ago

I was able to replicate the original issue, there is no 'upload' in the $tabs array passed into the install_plugins_tabs filter.

Applied 29236.patch to wp-admin/plugin-install.php

Now the only tab I see is an 'Upload Plugin' tab, the Newest, Featured, Popular, etc. are all gone. This is without adding the filter in my functions.php.

Attaching screenshot.

#5 @mpatek
10 years ago

Doesn't work for me, either. I think this patch is overriding the global $tabs defined in WP_Plugin_Install_List_Table.

It looks like the 'upload' tab is currently contained in $nonmenu_tabs which is filtered by 'install_plugins_nonmenu_tabs'.

So, maybe what we want to do here is to test whether upload still exists after being filtered by 'install_plugins_nonmenu_tabs'? Or check for it in the combination of menu+nonmenu tabs?

Or maybe we could give the list table a method that would enable us to know which tabs it supports?

#6 @helen
10 years ago

  • Milestone 4.0 deleted
  • Resolution set to wontfix
  • Status changed from new to closed

Upload was purposefully moved to the header and removed from the bar. I am not particularly concerned about doing back-compat for this filter given that just hiding it did not actually disable the upload. The filter name would also make no sense given that it's not a "tab" context. Would advise that you hide the upload link with CSS going forward, as well as doing something to actually block the upload (such as the reporter is doing).

#7 @juliobox
10 years ago

Ok, i'll use CSS to hide it and always use as well the real "blocker script" reading the $_FILES global var.
Thank you all :)

#8 follow-up: @juliobox
10 years ago

I forgot to tell that in the themes page, the filter is still there, so we can hide the "upload theme" button using it, why not on plugins page anymore?

#9 in reply to: ↑ 8 @nacin
10 years ago

Replying to juliobox:

I forgot to tell that in the themes page, the filter is still there, so we can hide the "upload theme" button using it, why not on plugins page anymore?

The filter there has no impact on the upload button on the theme-install page.

#10 @nacin
10 years ago

I stand corrected, but the way it was implemented was pretty bad.

#11 @nacin
10 years ago

  • Milestone set to 4.0

Per [29002] and #28578, I'm fixing this. This is actually really easy to handle, and I'm going to tweak [29002] in the process too, as well as bring more UI uniformity to the plugin and theme installers, and add two new capabilities (upload_plugins and upload_themes) to allow someone to actually deny the ability to upload plugins or themes the "right" way.

#12 @nacin
10 years ago

  • Resolution wontfix deleted
  • Status changed from closed to reopened

#13 @nacin
10 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from reopened to closed

In 29634:

Plugin/Theme Uploads: New capabilities; unify UIs; ensure compatibility with old filters.

Introduce upload_plugins and upload_themes capabilities to allow blocking of plugin and theme uploads, versus the old hacky (and not secure) ways of just hiding UI tabs. These are simply meta capabilities that map to install_plugins and install_themes.


  • Use the same nice design for the plugin upload screen as the theme upload screen.
  • Better compatibility for the old install_themes_tabs filter added in [29002]. see #28578.
  • Ensure using the install_plugins_tabs filter to remove the upload tab removes the new button.
  • Use 'Add Plugins' instead of 'Install Plugins' to match 'Add Themes'.

fixes #29236.

#14 @nacin
10 years ago

In 29637:

Adjust [29634] so the Upload Plugin button can be shown. see #29236.

Note: See TracTickets for help on using tickets.