WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#39745 closed defect (bug) (duplicate)

edit.php inaccessible when post type has no submenu

Reported by: jmeit Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Role/Capability Keywords:
Focuses: administration Cc:

Description

Problem

In the Dashboard menu, you see links to your custom post types. If you take away a role/user's 'capability' to create_posts, the 'Add New' button disappears from that post type's submenu, which is expected. But, the side-effect is that it makes edit.php?post_type=my_cpt inaccessible.

I discovered that it was due to the lack of a submenu by grepping for the error.
The error message comes from the bottom of wp-admin/includes/menu.php.
I followed that to user_can_access_admin_page() in wp-admin/includes/plugin.php:1697
and then to get_admin_page_parent() in wp-admin/includes/plugin.php:1509
My interpretation, from following the execution with xdebug, is that when the global $submenu is empty, no page parent is found, and user_can_access_admin_page() looks for the entry $_wp_menu_nopriv[$pagenow], but $pagenow contains edit.php, instead of the page that was being accessed, edit.php?post_type=my_cpt .

To Reproduce

  1. Create custom post type 'my_cpt' with
    'capability_type' => 'my_cpt',
    'capabilities' => array('create_posts' => 'create_my_cpts'),
    'supports' => array('author','title') //'author' is the important one for testing
    
  2. Add a role 'my_role' with caps 'edit_my_cpts' => true and 'create_my_cpts' => false.
  3. Add a user and give it the role 'my_role'
  4. Add a new my_cpt, and change it's author to the new user.
  5. Login to the dashboard as the new user. The menu item for my_cpt will show up, but will not have a submenu. This is because you've set 'create_my_cpts' to false, which removes the one submenu item that there would ordinarily be, 'Add New'.
  6. Click the menu item to view the list of my_cpts.

You are met with the dreaded "Sorry, you are not allowed to access this page."
However, if you go directly to my.wordpress.site/wp-admin/post.php?post=[post id]&action=edit you'll see that the user can still edit its my_cpt post.

Change History (1)

#1 @ocean90
4 years ago

  • Focuses ui removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version 4.7.2 deleted

Hello @jmeit, welcome to WordPress Trac!

Thanks for your report. We had a similar report in #29714 and are now tracking this issue in #22895.

Note: See TracTickets for help on using tickets.