[wp-trac] [WordPress Trac] #11922: Pages Hooked by add_menu_page() Have No Security
WordPress Trac
wp-trac at lists.automattic.com
Sat Jan 16 09:22:29 UTC 2010
#11922: Pages Hooked by add_menu_page() Have No Security
-----------------------------+----------------------------------------------
Reporter: miqrogroove | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.9.2
Component: Role/Capability | Version:
Severity: critical | Keywords:
-----------------------------+----------------------------------------------
... continued from #10310
> > They are roles. That could be the problem.
>
> Nah, the $access_level parameter has never been implemented for
add_menu_page. wp-admin/menu.php displays all top level menus unless all
children are forbidden. The hooks for those top level pages are totally
unchecked.
For clarity, the flow of control:
1. In add_menu_page(), the callback function gets hooked unconditionally.
$access_level is ignored.
2. In wp-admin/menu.php, current_user_can() is called after the user has
failed every submenu permissions check unanimously. If any one test
passes, then current_user_can() never runs.
3. In wp-admin/menu.php, user_can_access_admin_page() is called.
4. user_can_access_admin_page() performs a last-ditch check for
$_wp_menu_nopriv, which is never set unless current_user_can() gets called
in step 2.
5. admin.php calls do_action($page_hook);
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11922>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list