Make WordPress Core

Opened 10 months ago

Last modified 7 months ago

#52043 new defect (bug)

Post type listings in submenus require parent menu capability

Reported by: manfcarlo Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Posts, Post Types Keywords:
Focuses: administration Cc:


If a post type is registered under a submenu, such as $args['show_in_menu'] = 'options-general.php' or $args['show_in_menu'] = 'themes.php', viewing the post type listing seems to require the capability to access the parent page.

If a user lacks the capability for the parent page but does have the capability to edit the post type, the post type appears in the admin menu, but returns a 403 error when navigated to.

This makes no sense because the user actually does have the capability to access that page, and it's an independent page with its own capabilities.

Note that even the parent menu link will be modified to point to the post type listing, rather than the normal parent page that they genuinely lack the capability for.

There appears to be handling for this equivalent scenario for options pages, but not for post type listings.

Change History (4)

#1 @SergeyBiryukov
10 months ago

  • Component changed from Administration to Posts, Post Types

This ticket was mentioned in Slack in #core by manfcarlo. View the logs.

7 months ago

#3 @paaljoachim
7 months ago

I just now noticed this trac ticket mentioned in the Core Slack channel.
"It's also quite relevant to FSE, since it will affect the new post types."

@aristath @gziolo @annezazu

This ticket was mentioned in Slack in #core by mamaduka. View the logs.

7 months ago

Note: See TracTickets for help on using tickets.