Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#33938 closed defect (bug) (fixed)

Taxonomies with show_ui set to false should not be accessible via the admin area

Reported by: johnbillion's profile johnbillion Owned by: johnbillion's profile johnbillion
Milestone: 4.4 Priority: normal
Severity: normal Version: 2.3
Component: Taxonomy Keywords: needs-patch
Focuses: administration Cc:

Description

Same as #33763 for taxonomies.

If a taxonomy is registered with show_ui set to false, it's still possible to access the term editing screen for the taxonomy by manually navigating to the correct URL.

Change History (7)

#1 @johnbillion
9 years ago

  • Owner set to johnbillion
  • Resolution set to fixed
  • Status changed from new to closed

In 34359:

Remove the ability to view the term editing screen for taxonomies with show_ui set to false. It is unexpected and unintended behaviour that this is allowed.

If your plugin or site does rely on this behaviour, the arguments that are passed to register_taxonomy() should be altered so that show_ui is true, and arguments such as show_in_menu and show_in_nav_menus are false.

Fixes #33938

#2 follow-up: @danielbachhuber
9 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

We're hiding UI to add our own custom metabox (combining multiple taxonomies) and admin menu. However, register_taxonomy() doesn't offer a registration argument to disable core meta boxes. It would be nice to have the argument, so we don't have to deregister metaboxes.

#3 in reply to: ↑ 2 ; follow-up: @helen
9 years ago

Replying to danielbachhuber:

We're hiding UI to add our own custom metabox (combining multiple taxonomies) and admin menu. However, register_taxonomy() doesn't offer a registration argument to disable core meta boxes. It would be nice to have the argument, so we don't have to deregister metaboxes.

register_taxonomy() has a meta_box_cb arg, which can be set to false.

#4 in reply to: ↑ 3 @danielbachhuber
9 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to helen:

Replying to danielbachhuber:

We're hiding UI to add our own custom metabox (combining multiple taxonomies) and admin menu. However, register_taxonomy() doesn't offer a registration argument to disable core meta boxes. It would be nice to have the argument, so we don't have to deregister metaboxes.

register_taxonomy() has a meta_box_cb arg, which can be set to false.

Ah. I tried __return_false, but ended up with an empty meta box. Explicitly setting to false does the trick.

#5 @johnbillion
9 years ago

  • Keywords needs-patch added
  • Resolution fixed deleted
  • Status changed from closed to reopened

Suffers from the same problem as #33763.

#6 @johnbillion
9 years ago

  • Status changed from reopened to accepted

#7 @johnbillion
9 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 35704:

Move the show_ui logic into the get_edit_post_link() and get_edit_term_link() functions to facilitate post types and terms which specify show_ui as false but provide a custom editing UI via the get_edit_post_link and get_edit_term_link filters.

Fixes #33763
Fixes #33938

Note: See TracTickets for help on using tickets.