[wp-trac] [WordPress Trac] #31183: Users with "update_plugins" capability can not see update details

WordPress Trac noreply at wordpress.org
Tue Dec 5 20:14:21 UTC 2017 

#31183: Users with "update_plugins" capability can not see update details
---------------------------------+----------------------------------------
 Reporter:  michel.weimerskirch  |       Owner:
     Type:  defect (bug)         |      Status:  new
 Priority:  normal               |   Milestone:  Future Release
Component:  Plugins              |     Version:  4.1
 Severity:  normal               |  Resolution:
 Keywords:  has-patch            |     Focuses:  administration, multisite
---------------------------------+----------------------------------------
Changes (by jeremyfelt):

 * focuses:  administration => administration, multisite


Comment:

 I'm seeing this same issue in a slightly different form in multisite.

 I've disabled `edit_plugins`, `update_plugins`, `install_plugins`, and
 `upload_plugins` for everyone, but `manage_network_plugins` is still
 enabled.

 I'd like global (super) administrators in our multisite setup to be able
 to "View version X.Y.Z details" when an update is available. That's
 usually the cleanest place to see a list of changes before initiating our
 workflow to upgrade.

 There are a couple of things that are getting in the way.

 The `plugin-install.php` page loads `wp-admin/network/menu.php` when
 viewed as an iframe, even though no menu is displayed. Because of this a
 nopriv flag is set when the current user cannot `install_plugins`.

 I can work around this by stomping on the `$_wp_submenu_nopriv` global to
 remove that nopriv flag. That's ugly, but so is the menu. :)

 Next, a second check for `install_plugins` caps blocks the actual view in
 `wp-admin/plugin-install.php`.

 In a nutshell, protecting `plugin-install.php` with `install_plugins` caps
 is only correct when viewing the page through "Add New". In its other
 forms, there are other protections in place to prevent links for
 updating/installing from being used.

 In [attachment:31183.diff], the cap check is ignored if we're loading the
 `plugin-information` tab. This appears to work as expected for me. I
 haven't fully tested the other scenarios in this ticket yet.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/31183#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list