[wp-trac] [WordPress Trac] #11770: inconsistencies in the WPMU menu permissions

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 6 17:53:24 UTC 2010

#11770: inconsistencies in the WPMU menu permissions
 Reporter:  Denis-de-Bernardy  |       Owner:             
     Type:  defect (bug)       |      Status:  new        
 Priority:  normal             |   Milestone:  3.0        
Component:  Multisite          |     Version:  3.0        
 Severity:  normal             |    Keywords:  2nd-opinion
 in wpmu_menu(), we have:

 unset( $submenu['plugins.php'][15] ); // always remove the plugin editor

 but further down in list_activate_sitewide_plugins(), we have:

 if ( current_user_can('edit_plugins') ...

 firstly, if memory serves, the non-existence of the menu item should make
 this trigger an error if it's clicked. (if not, we should add some more
 CYA permission checks similar to those we introduced around WP 2.8.1 and

 secondly, does it really make any sense to add this check on a MU site? it
 sounds like a recipe for breaking an installation.

Ticket URL: <http://core.trac.wordpress.org/ticket/11770>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list