[wp-trac] [WordPress Trac] #22895: user_can_admin_menu() is Type-Insensitive for Users who can't create pages
WordPress Trac
noreply at wordpress.org
Wed Dec 12 18:32:54 UTC 2012
#22895: user_can_admin_menu() is Type-Insensitive for Users who can't create pages
-----------------------------+-----------------------------
Reporter: kevinB | Type: defect (bug)
Status: new | Priority: normal
Milestone: Awaiting Review | Component: Role/Capability
Version: 3.5 | Severity: normal
Keywords: |
-----------------------------+-----------------------------
Utilization of the new separation edit_posts /create_posts capability
separation reveals a flaw in admin menu privilege checking.
The issue occurs when:
1. For any post type other the "post", the user has $type->cap->edit_posts
but not $type->cap->create_posts
2. User also does not have a manage_terms capability for any associated
taxonomies
In that situation, access to "edit.php?post_type=whatever" fails unless
the user has the "edit_posts" cap for the "post" type.
This occurs because:
1. '''wp-admin/includes/menu.php''' removes solitary submenus that have
the same destination as the parent
2. '''get_admin_page_parent()''' returns nullstring if there is no
$submenu item
3. '''user_can_access_admin_page()''' performs a type-sensitive capability
check only if get_admin_page_parent() returns an existing $submenu key.
For now, my plugin workaround is to hook into 'admin_menu' and add a dummy
submenu with nullstring caption.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/22895>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list