WordPress.org
Get WordPress

Make WordPress Core

Opened 2 years ago

Closed 2 weeks ago

#58761 closed defect (bug) (fixed)

Make the filter option_page_capability_options available when access options.php directly

Reported by: amibe's profile amibe Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 7.0 Priority: normal
Severity: normal Version:
Component: Options, Meta APIs Keywords: has-patch
Focuses: Cc:

Description

The problem is that when wp-admin/options.php is accessed directly $option_page is Empty, and the filter for option_page_capability_options is bypassed.

For a requirement to prevent direct access to this page, which exposes all WordPress options, this filter is needed to modify the capability from 'manage_options' to 'do_not_allow'.

For any other settings page the value of $option_page is set to something other than 'options' and would not be affected by this change.

I'd also suggest the 'back compat' comment is irrelevant and could be removed (or at least better explained if it is relevant).

The suggested change is from:

<?php
$capability = 'manage_options';

// This is for back compat and will eventually be removed.
if ( empty( $option_page ) ) {
        $option_page = 'options';
} else {

        /**
         * Filters the capability required when using the Settings API.
         *
         * By default, the options groups for all registered settings require the manage_options capability.
         * This filter is required to change the capability required for a certain options page.
         *
         * @since 3.2.0
         *
         * @param string $capability The capability used for the page, which is manage_options by default.
         */
        $capability = apply_filters( "option_page_capability_{$option_page}", $capability );
}

To:

<?php
$capability = 'manage_options';

if ( empty( $option_page ) ) {
        $option_page = 'options';
} 

/**
 * Filters the capability required when using the Settings API.
 *
 * By default, the options groups for all registered settings require the manage_options capability.
 * This filter is required to change the capability required for a certain options page.
 *
 * @since 3.2.0
 *
 * @param string $capability The capability used for the page, which is manage_options by default.
 */
$capability = apply_filters( "option_page_capability_{$option_page}", $capability );

Change History (3)

This ticket was mentioned in PR #8972 on WordPress/wordpress-develop by @amibe.
6 months ago #1

  • Keywords has-patch added

Fixes the filter for option_page_capability_options being bypassed when wp-admin/options.php is accessed directly (because $option_page is Empty).

Trac ticket:
https://core.trac.wordpress.org/ticket/58761

#2 @SergeyBiryukov
2 weeks ago

  • Milestone changed from Awaiting Review to 7.0

#3 @SergeyBiryukov
2 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 61325:

Options, Meta APIs: Avoid bypassing the option_page_capability_options filter.

This ensures that the filter is available when wp-admin/options.php is accessed directly.

Follow-up to [13627], [17986], [25372].

Props amibe.
Fixes #58761.

Note: See TracTickets for help on using tickets.