#6248 closed defect (bug) (fixed)
WP permission issue for plugin updater
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 2.5 | Priority: | normal |
| Severity: | normal | Version: | 2.5 |
| Component: | Administration | Keywords: | has-patch dev-feedback |
| Focuses: | Cc: |
Description
in WP 2.5, trunk, wp-admin/update.php, things start like this:
if ( !current_user_can('edit_plugins') )
wp_die('<p>'.__('You do not have sufficient permissions to update plugins for this blog.').'</p>');
I've disabled the edit_plugins, edit_themes and edit_files capabilities from my administrator role. I do the same for each of my customers, because I don't want them to see scary looking "Edit [File]" screens in their admin area. I'm guessing others do the same. Anyway...
Could it be possible to change the above to:
if ( !( current_user_can('edit_plugins') || current_user_can('administrator') ) )
wp_die('<p>'.__('You do not have sufficient permissions to update plugins for this blog.').'</p>');
And/or, change the message on the plugins screen as necessary, so that only relevant users get prompted to upgrade their plugins automatically? (i.e. change "There is a new version of [Plugin] available. Download version [X] here or upgrade automatically." to "There is a new version of [Plugin] available. Download version [X] here.")
Attachments (2)
Change History (10)
#2
@
18 years ago
What permission is used for access to the plugins page? manage_plugins?
Alternativly, Could add a update_plugins capability, that way it can be restricted on a per-role use by the role management plugins?
I'd support only showing the upgrade if a plugin package is available, However, for all intents and purposes, all wordpress.org plugins should have it available.
I dont think anyone has even thought of supporting the 3rd party plugins yet.
If anyone can suggest places for hooks and/or filters in the updater code that could be useful.
#4
@
18 years ago
The version checker plugin update will be supporting upgrades from 3rd party sites out of the box. and it works fine as far as I can tell.
There's no need for any extra hooks. At one point, I considered asking for something like $response = apply_filters($response) before updating the 'plugins_update' option, but catching the update_option_plugins_update hook or the load-plugins.php hook works too.
The permission problem raised above is very real, however, as is the package link problem.
#5
@
18 years ago
- Keywords has-patch added; reporter-feedback 2nd-opinion removed
Patch attached for the update url.
2nd patch attached to not offer automatic upgrade if user doesnt have edit_plugins permission.
I personally think upgrading the plugin is editing the plugin, and thats why i've left it attached to that permission. However, If devs feel it should be linked to a different permission, please step in and make it happen..
Adding to this one, it would also be sweet to check if the package variable of the response is set before suggesting the automated upgrade.
function wp_plugin_update_row( $file ) { if ( !( current_user_can('edit_plugins') || current_user_can('administrator') ) ) return; global $plugin_data; $current = get_option( 'update_plugins' ); if ( !isset( $current->response[ $file ] ) ) return false; $r = $current->response[ $file ]; echo "<tr><td colspan='5' class='plugin-update'>"; if ( $r->package ) { printf( __('There is a new version of %1$s available. <a href="%2$s">Download version %3$s here</a> or <a href="%4$s">upgrade automatically</a>.'), $plugin_data['Name'], $r->url, $r->new_version, wp_nonce_url("update.php?action=upgrade-plugin&plugin=$file", 'upgrade-plugin_' . $file) ); } else { printf( __('There is a new version of %1$s available. <a href="%2$s">Download version %3$s here</a>.'), $plugin_data['Name'], $r->url, $r->new_version ); } echo "</td></tr>"; }That way, this plugin will work as expected in its current implementation, and its next one:
http://www.semiologic.com/software/wp-fixes/version-checker/
Thanks!