WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 2 years ago

#32088 new defect (bug)

Bug in get_admin_page_parent( $parent = '' ) when only having 1 Sub-Menu-Item

Reported by: iamwordimpressed Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.1.2
Component: Menus Keywords: needs-patch
Focuses: administration Cc:
PR Number:

Description (last modified by ocean90)

Hello,

function get_admin_page_parent( $parent = '' ) seems buggy.

My Goal:

  • Remove all Submenu items of a CPT in Wordpress Admin and keep only the Main-Menu Item for showing the Table/List Custom Posts ("Listing All").

What I do:

  • I have a custom post type (CPT) with 2 Default builtin Taxonomies (category/post_tags). But The user has no Capability to access them. So effectively this CPT has 2 Sub-Menu-Items by default: "Listing All" and "Add New" (Note: I have no English installation, so the namings might slightly be different in original English).
  • I remove the "Add New" Menu item in the "_admin_menu" Hook by unsetting the respective $submenu item array entry: unset($GLOBALS['submenu']['edit.php?post_type=mycpt'][10]);
  • I have debugged it: As there is only one Sub-Menu-Item left ("Listing All"), Wordpress now tests if the single left Sub-Menu Item is identical to the Main-Menu Item. If yes, it will remove the Sub-Menu-Item. This works ok. Now the global $submenu array does no longer contain any Submenu Items. And the global $menu item still contains the Main-Menu Item for the CPT with the "Listing All" link (wp-admin/edit.php?post_type=mycpt).

Bug:

  • But when I acces the http://localhost/super/wp-admin/edit.php?post_type=mycpt page by clicking on the Main-Menu Item, I get an "no appropriate rights" error
  • It turns out that the get_admin_page_parent( $parent = '' ) function does return an empty (!) result instead of edit.php?post_type=mycpt. (I tested this by enabling the second submenu item and in this case the function returns "edit.php?post_type=mycpt".
  • When the function returns empty, than it will trigger (in user_can_access_admin_page())
    if ( empty( $parent) ) {
    if ( isset( $_wp_menu_nopriv[$pagenow] ) )
    
  • And this will deny access! The reason this is triggered is $pagenow is "edit.php". And I do NOT allow users access to the build in Default WP Post type! So $_wp_menu_nopriv contains "edit.php".

As I can judge this, this is bug in get_admin_page_parent( $parent = '' ) that will be triggered for all(!) Custom Post types with only one Submenuitem. But will only be visible, in practice if you additionally disable the build in standard "post" type.

Thanks!

Change History (5)

#1 @iamwordimpressed
4 years ago

  • Component changed from General to Menus
  • Type changed from enhancement to defect (bug)

#2 @iamwordimpressed
4 years ago

Important Note: Maybe the get_admin_page_parent( $parent = '' ) logic is correct, yet. But the code using the result is incorrect. As there is no documentation how this method, and the method that uses the result should behave if there is only one Main Menu item (without any sub menu items) I can not really tell.

#3 @welcher
3 years ago

  • Component changed from Menus to General
  • Focuses administration added
  • Keywords needs-patch added

Thanks for the ticket!

Given your understanding of the issue, you're probably the best person to take a shot at a patch. Give it a shot!

#4 @welcher
3 years ago

  • Component changed from General to Menus

#5 @ocean90
2 years ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.