[wp-trac] [WordPress Trac] #11770: inconsistencies in the WPMU menu permissions

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 6 17:53:24 UTC 2010


#11770: inconsistencies in the WPMU menu permissions
-------------------------------+--------------------------------------------
 Reporter:  Denis-de-Bernardy  |       Owner:             
     Type:  defect (bug)       |      Status:  new        
 Priority:  normal             |   Milestone:  3.0        
Component:  Multisite          |     Version:  3.0        
 Severity:  normal             |    Keywords:  2nd-opinion
-------------------------------+--------------------------------------------
 in wpmu_menu(), we have:

 {{{
 unset( $submenu['plugins.php'][15] ); // always remove the plugin editor
 }}}

 but further down in list_activate_sitewide_plugins(), we have:

 {{{
 if ( current_user_can('edit_plugins') ...
 }}}

 firstly, if memory serves, the non-existence of the menu item should make
 this trigger an error if it's clicked. (if not, we should add some more
 CYA permission checks similar to those we introduced around WP 2.8.1 and
 2.8.2.)

 secondly, does it really make any sense to add this check on a MU site? it
 sounds like a recipe for breaking an installation.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11770>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list