Opened 9 years ago
Last modified 4 years ago
#38076 new defect (bug)
Network admin plugin pages can be accessed on non-multisite
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Future Release | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Administration | Keywords: | has-patch dev-feedback |
| Focuses: | multisite | Cc: |
Description
I just noticed that it's theoretically possible to access a plugin-generated page in the network admin panel even if we're not on a multisite setup. The same applies to the user admin panel as well.
To replicate, create a plugin that uses add_menu_page() with a slug my_test_page, hooked into network_admin_menu. Then manually go to the URL http://yourdomain.com/wp-admin/network/admin.php?page=my_test_page.
This happens because the is_multisite() check happens only after including the general wp-admin/admin.php administration bootstrap file which takes care of any plugin pages by itself. The problem is we can't do it before because WordPress hasn't been loaded then. A possible solution would be to split the require_once statement in wp-admin/network/admin.php into two, one to load the WordPress core functions, the other to load wp-admin/admin.php.
I don't think this is a very critical issue, but I thought it should be a ticket. It's very unlikely that anyone tries to access a network admin URL when they don't have a multisite. On the other hand, we catch that in other areas (through ! is_multisite() checks), so we might try to do it here as well.
When I replicate this bug as per instructions in the ticket description, I get a fatal error. I added a patch that redirects to the admin URL when attempting to access a plugin generated page in the network admin panel when multisite is not enabled.