[wp-trac] [WordPress Trac] #11770: inconsistencies in the WPMU menu permissions
WordPress Trac
wp-trac at lists.automattic.com
Wed Jan 6 17:53:24 UTC 2010
#11770: inconsistencies in the WPMU menu permissions
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Multisite | Version: 3.0
Severity: normal | Keywords: 2nd-opinion
-------------------------------+--------------------------------------------
in wpmu_menu(), we have:
{{{
unset( $submenu['plugins.php'][15] ); // always remove the plugin editor
}}}
but further down in list_activate_sitewide_plugins(), we have:
{{{
if ( current_user_can('edit_plugins') ...
}}}
firstly, if memory serves, the non-existence of the menu item should make
this trigger an error if it's clicked. (if not, we should add some more
CYA permission checks similar to those we introduced around WP 2.8.1 and
2.8.2.)
secondly, does it really make any sense to add this check on a MU site? it
sounds like a recipe for breaking an installation.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11770>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list