WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 6 years ago

#8535 closed defect (bug) (fixed)

role & capabilities/menu/user_can_access_admin_page()

Reported by: arena Owned by: ryan
Milestone: 2.7.1 Priority: high
Severity: major Version: 2.7
Component: Administration Keywords:
Focuses: Cc:

Description

Hello

In my plugin i grant access to the plugin settings page to editor role.

when i login under wp admin as an editor,

the Settings Main Menu is displayed with link : http://127.0.0.1/wp27/wp-admin/admin.php?page=mailpress_settings

the plugin sub menu 'settings' is displayed with link : http://127.0.0.1/wp27/wp-admin/options-general.php?page=mailpress_settings

when i click on the first link, i access the plugin page

when i click on the second link, i have the following message : You do not have sufficient permissions to access this page.

Bug analysis :

A) the bug appears to be in the first test made by function user_can_access_admin_page()

the test is this one :

 862      if ( isset( $_wp_submenu_nopriv[$parent][$pagenow] ) )
 863          return false;

clicking on the second link gives :

$parent = options-general.php 
$pagenow options-general.php
and of course $_wp_submenu_nopriv[options-general.php][options-general.php] is set ...

Should the value of $pagenow be the plugin page value ??

B) Second test in user_can_access_admin_page() is :


865      if ( isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$plugin_page] ) )
 866          return false;

If i discard the first test, everything is ok (for that particular case)

SUGGESTION : First test in user_can_access_admin_page() should be :


862      if ( !isset( $plugin_page ) && isset( $_wp_submenu_nopriv[$parent][$pagenow] ) )
 863          return false;

Test Case :

1. Download http://andrerenaut.ovh.org/wp/wp-content/UserFiles/download.php?path=plugins/&fname=mailpress_wph.rar
2. Extract/Copy to wp-content/plugins/Activate the two plugins.
3. Go to Settings>MailPress settings>tab 'R&C' and grant access for editor role to settings capability.
4. Login as an editor
5. You should have a Setting main menu and a MailPress setting submenu.

Change History (7)

comment:1 @markjaquith7 years ago

  • Owner changed from anonymous to ryan

comment:2 @ryan7 years ago

  • Milestone changed from 2.7 to 2.7.1

That looks like a good fix, but let's postpone this to 2.7.1 since even small changes to the menu code tend to have unintended consequences.

comment:3 @arena7 years ago

ok, i can wait till 2.7.1 thanks for the quick answer.

comment:4 @ryan7 years ago

(In [10267]) user_can_access_admin_page() fix. Props arena. see #8535

comment:5 @ryan7 years ago

Let's try this in trunk for awhile before committing to 2.7.

comment:6 @Denis-de-Bernardy6 years ago

  • Version set to 2.7

comment:7 @ryan6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [10413]) user_can_access_admin_page() fix. Props arena. fixes #8535 for 2.7

Note: See TracTickets for help on using tickets.