[wp-hackers] options capabilities bug?
Steve Taylor
steve at sltaylor.co.uk
Tue Jul 12 14:08:37 UTC 2011
Sorry, should have checked Trac first :-\ Thanks, Chip!
On 12 July 2011 13:31, Chip Bennett <chip at chipbennett.net> wrote:
> This is a known issue, with a workaround added to 3.2. (You can see the
> workaround in action in Twenty Eleven.)
>
> Copying straight out of my own
> code<https://github.com/chipbennett/oenology/blob/d586858687a4b00885a88c0b7084dd87153b1c4e/functions/options.php>(so
> I don't have to rewrite the explanation):
>
> /**
> * Filter Capability for Theme Settings Page
> *
> * This filter implements a WordPress 3.2 fix for
> * a minor bug, in which add_theme_page() is passed
> * the "edit_theme_options" capability, but the
> * settings page form is passed through options.php,
> * which expects the "manage_options" capability.
> *
> * The "edit_theme_options" capability is part of the
> * EDITOR user role, while "manage_options" is only
> * available to the ADMINISTRATOR role. So, users in
> * the EDITOR user role can access the Theme settings
> * page, but are unable actually to update/save the
> * Theme settings.
> *
> * The function is hooked into a hook, introduced in
> * WordPress 3.2: "option_page_capability_{option_page}",
> * where {option_page} is the name of the options page,
> * as defined in the fourth argument of the call to
> * add_theme_page()
> *
> * The function returns a string consisting of the
> * appropriate capability for saving Theme settings.
> */
> *function** oenology_get_settings_page_cap() {*
> * return 'edit_theme_options';*
> *}*
> *// Hook into option_page_capability_{option_page}*
> *add_action**(** 'option_page_capability_oenology-settings',
> 'oenology_get_settings_page_cap' );*
>
> I added on a bit to what Twenty Eleven does, by passing
> oenology_get_settings_page_cap() to add_theme_page(), just to ensure
> consistency:
>
> /**
> * Setup the Theme Admin Settings Page
> *
> * Add "Oenology Options" link to the "Appearance" menu
> */
> function oenology_add_theme_page() {
> add_theme_page(
> // $page_title
> // Name displayed in HTML title tag
> 'Oenology Options',
> // $menu_title
> // Name displayed in the Admin Menu
> 'Oenology Options',
> * // $capability*
> * // User capability required to access page*
> * oenology_get_settings_page_cap(), *
> // $menu_slug
> // String to append to URL after "themes.php"
> 'oenology-settings',
> // $callback
> // Function to define settings page markup
> 'oenology_admin_options_page'
> );
>
>
> So, easy fix, once you know what's going on.
>
> Chip
>
> On Tue, Jul 12, 2011 at 7:18 AM, Steve Taylor <steve at sltaylor.co.uk> wrote:
>
>> I'm using Justin Tadlock's excellent Members plugin to create a "Super
>> Editor" role. Basically to allow some client editors to change
>> settings on the site, but to keep them from updating, installing
>> plugins, etc.
>>
>> So, besides the usual Editor capabilities, I've assigned them the
>> manage_options one.
>>
>> They can see the Settings menus, but when they submit one, they get
>> the "You do not have permission" notice.
>>
>> I've tracked this down to this in my custom theme code:
>>
>> add_action( 'admin_menu', 'slt_all_settings_link' );
>> function slt_all_settings_link() {
>> add_options_page( __('All Settings'), __('All Settings'),
>> 'update_core', 'options.php' );
>> }
>>
>> I want this "all settings page" output just for admins, so I use the
>> update_core capability. However, setting it this way causes the above
>> issue with users who have been granted the manage_options capability,
>> but who don't have the capability set for the options.php page. If I
>> change the above capability to manage_options, the other screens work
>> too.
>>
>> Is this a bug? Or is it just something unavoidable in the way the
>> internal options handling works?
>>
>> I'm setting the above page to be visible with manage_options for now,
>> it's no biggie - just thought I report this in case there's other
>> ramifications.
>>
>> cheers,
>>
>> Steve
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
More information about the wp-hackers
mailing list