[wp-trac] [WordPress Trac] #58761: Make the filter option_page_capability_options available when access options.php directly

WordPress Trac noreply at wordpress.org
Sat Jul 8 05:43:13 UTC 2023 

#58761: Make the filter option_page_capability_options available when access
options.php directly
--------------------------------+-----------------------------
 Reporter:  amibe               |      Owner:  (none)
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Options, Meta APIs  |    Version:
 Severity:  normal              |   Keywords:
  Focuses:                      |
--------------------------------+-----------------------------
 The problem is that when wp-admin/options.php is accessed directly
 $option_page is Empty, and the filter for option_page_capability_options
 is bypassed.

 For a requirement to prevent direct access to this page, which exposes all
 WordPress options, this filter is needed to modify the capability from
 'manage_options' to 'do_not_allow'.

 For any other settings page the value of $option_page is set to something
 other than 'options' and would not be affected by this change.

 I'd also suggest the 'back compat' comment is irrelevant and could be
 removed (or at least better explained if it is relevant).

 The suggested change is from:
 {{{#!php
 <?php
 $capability = 'manage_options';

 // This is for back compat and will eventually be removed.
 if ( empty( $option_page ) ) {
         $option_page = 'options';
 } else {

         /**
          * Filters the capability required when using the Settings API.
          *
          * By default, the options groups for all registered settings
 require the manage_options capability.
          * This filter is required to change the capability required for a
 certain options page.
          *
          * @since 3.2.0
          *
          * @param string $capability The capability used for the page,
 which is manage_options by default.
          */
         $capability = apply_filters(
 "option_page_capability_{$option_page}", $capability );
 }
 }}}

 To:
 {{{#!php
 <?php
 $capability = 'manage_options';

 if ( empty( $option_page ) ) {
         $option_page = 'options';
 }

 /**
  * Filters the capability required when using the Settings API.
  *
  * By default, the options groups for all registered settings require the
 manage_options capability.
  * This filter is required to change the capability required for a certain
 options page.
  *
  * @since 3.2.0
  *
  * @param string $capability The capability used for the page, which is
 manage_options by default.
  */
 $capability = apply_filters( "option_page_capability_{$option_page}",
 $capability );

 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/58761>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list