WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#37436 closed defect (bug) (fixed)

"Popular Plugin" UI in WordPress News dashboard widget doesn't respect DISALLOW_FILE_MODS

Reported by: danielbachhuber Owned by: swissspidy
Milestone: 4.7 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch commit
Focuses: Cc:
PR Number:

Description

Specifically, this conditional in wp_dashboard_primary():

if ( ( ! is_multisite() && is_blog_admin() && current_user_can( 'install_plugins' ) ) || ( is_network_admin() && current_user_can( 'manage_network_plugins' ) && current_user_can( 'install_plugins' ) ) ) {

If I have DISALLOW_FILE_MODS defined in my wp-config.php, then this particular component in the widget shouldn't be exposed.

Attachments (5)

37436.patch (610 bytes) - added by Mte90 3 years ago.
37436.2.patch (820 bytes) - added by Mte90 3 years ago.
improved
37436.diff (3.3 KB) - added by wonderboymusic 3 years ago.
37436.2.diff (3.8 KB) - added by wonderboymusic 3 years ago.
37436.3.diff (5.2 KB) - added by swissspidy 3 years ago.

Download all attachments as: .zip

Change History (23)

#1 @SergeyBiryukov
3 years ago

  • Component changed from Widgets to Administration

@Mte90
3 years ago

#2 @Mte90
3 years ago

  • Keywords dev-feedback reporter-feedback added; needs-patch removed

The patch contain the check for that constants in the wp_dashboard_primary() function.

@Mte90
3 years ago

improved

#3 @Mte90
3 years ago

Ignore the 37436.patch, the 37436.2.patch do the check only for the plugin part and not for all the widget.

#4 @swissspidy
3 years ago

  • Keywords has-patch added; dev-feedback reporter-feedback removed
  • Milestone changed from Awaiting Review to 4.7

37436.2.patch works after the cache has been cleared (usually 1 day).

@wonderboymusic
3 years ago

#5 @wonderboymusic
3 years ago

37436.diff adds a function, wp_disallow_file_mods()

#6 @jorbin
3 years ago

@swissspidy could the cache be flushed on upgrade?

@swissspidy
3 years ago

#7 @swissspidy
3 years ago

Sure. 37436.3.diff adds a db upgrade method to delete the transient once.

However, as soon as the constant changes, the output is wrong again for a short period of time.

This ticket was mentioned in Slack in #core by aaroncampbell. View the logs.


3 years ago

This ticket was mentioned in Slack in #core by stevenkword. View the logs.


3 years ago

#10 @swissspidy
3 years ago

  • Keywords needs-unit-tests added

#11 @swissspidy
3 years ago

Wondering how unit tests could be applied here... There aren't really any filters or something we could hook into and I don't want to fetch feeds during tests.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.


3 years ago

#13 @rachelbaker
3 years ago

@swissspidy I don't see a straightforward way to test this change either. Do you think it would also make sense to make a wrapper function for defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT as well?

#14 @swissspidy
3 years ago

  • Keywords needs-unit-tests removed

@rachelbaker wp_disallow_file_mods() is surely nice to have, but needs a filter to be actually useful. That way we could more easily write unit tests for the code using it. We should do that in a separate ticket though. For this ticket, I'd go with 37436.2.patch and the upgrade routine.

#15 @ocean90
3 years ago

I don't think we need an upgrade routine for this. 37436.2.patch looks good enough (with a space after !).

#16 @swissspidy
3 years ago

  • Keywords commit added
  • Owner set to swissspidy
  • Status changed from new to assigned

#17 @swissspidy
3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 38825:

Dashboard: Do not show 'Popular Plugin' UI if DISALLOW_FILE_MODS is set.

Props Mte90.
Fixes #37436.

#18 @swissspidy
3 years ago

See #38673 for wp_disallow_file_mods().

Note: See TracTickets for help on using tickets.