[wp-hackers] The menu-system in wp 1.3

Ryan Boren ryan at boren.nu
Sun Oct 17 20:36:43 UTC 2004 

On Sun, 2004-10-17 at 18:05 +0200, Sebastian Herp wrote:
> Hello list,
> 
> two things about the menu-system.
> 
> 1) It is impossible to write a one-file plugin that has an 
> admin-interface. If i use the menu-hook (menu[50]= ....) i can link to 
> any file i like, but if the file is outside the /wp-admin folder there 
> is no chance of using the admin-header.php or admin-footer.php because 
> they have relative includes (e.g. wp-config.php).
> 
> 2) The new structure:
> Where is the logic behind it? :-)
> A normal user cannot even edit his own profile, because the menu.php 
> denies access to the relevant pages. It works if I directly enter the 
> url. So either this is a security problem (not only in profile.php) or 
> this needs some re-thinking.
> Another annoyance is the fact that the min. userlevel in the 
> submenu-array seems to have no effect at all. The entry is still visible 
> in the menu.


I'm experimenting with this.  I started by making it easier for plugins
to add to the Options submenu.  To register your options page, hook into
the 'admin_menu' action and call add_options_menu() from your hook.

function add_test_menu() {
  add_options_menu('Test', 5, '../wp-content/plugins/testpage.php');
}

add_action('admin_menu', 'add_test_menu');

testpage.php is organized as follows:

<?php
$title = 'Test Plugin Options Page';
include('../../wp-admin/options-head.php');

echo "<p>Do stuff here.</p>";

include('../../wp-admin/admin-footer.php');
?>

options-head.php takes care of all of the setup needed to make the page
part of the options submenu.

I resolved the include problems while I was in there and added a
user_can_access_admin_page() function that is called inside of menu.php
after the menu is built.  It checks the permissions specified in $menu
and $submenu and will abort if the user does not have sufficient
privileges.  No more backdoor.

Patch attached if anyone is interested.

Ryan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: plugin_pages.php
Type: text/x-patch
Size: 13079 bytes
Desc: not available
Url : /pipermail/hackers_wordpress.org/attachments/20041017/f13cf235/plugin_pages-0001.bin

More information about the hackers mailing list