"read" only user accounts are shown too much on the dashboard

[Viper007Bond]

I know the dashboard is a work in progress still, but I just want to make sure this doesn't get forgotten before release.

Create a "Subscriber" (aka read only account) and then visit the dashboard.

You are shown the "Right Now" box containing the number of posts, categories, etc. (I think those should be hidden from no-access users) as well as "Write Post" and "Write Page" links.

The "Recent Comments", "Incoming Links", and "Plugins" are also shown.

[mdawaffe]

5858.diff adds some cap checks to the dashboard and the dashboard widgets. My philosophy:

1. If the info is publicly accessible (e.g. via feeds), show the info.
2. If not, show the info only to those with the appropriate cap.
3. Don't show links that are not accessible to the logged in user.

So, on the dashboard, a subscriber would be able to see:

1. How many posts, but not how many pages or drafts.
2. How many categories/tags.
3. No links that point elsewhere in the admin section.

A subscriber would be able to see the following dashboard widgets.

1. Recent comments (available through feeds) but no links to moderation.
2. Incoming links (available via google, technorati, ...).
3. Primary feed (wordpress.org/development/feed).
4. Secondary feed (the planet).
5. Not the plugins widget. It's publicly available info (so I'm going against my philosophy), but it may contain other stuff later like "install now" links or other things that are actions rather than just pieces of information.

Dashboard widgets already have the edit_dashboard cap check for the little "Edit" links.

[mdawaffe]

refreshed

[ryan]

(In [7217]) Add cap checks to dash. Props mdawaffe. fixes #5858