[wp-trac] [WordPress Trac] #16808: Insufficient permissions for custom post type management and custom role/caps
WordPress Trac
noreply at wordpress.org
Mon Dec 22 06:13:59 UTC 2014
#16808: Insufficient permissions for custom post type management and custom
role/caps
-----------------------------+-------------------------
Reporter: Genesis2001 | Owner:
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Role/Capability | Version: 3.1
Severity: normal | Resolution: worksforme
Keywords: | Focuses:
-----------------------------+-------------------------
Comment (by alexkoti):
Hi, I managed to create a test plugin that can reproduce the problem.
Tested in WordPress 4.1 running Twenty Fifteen theme, without other
plugins.
When a user have only the cap required for CPT (and do not have permission
to create default posts), and at the same time, this CPT is configured
with 'show_in_menu' to be displayed in another admin page, the user will
not be allowed to add a new CPT.
The error is show at line 319 in `wp-admin/includes/menu.php`:
{{{#!php
wp_die( __('You do not have sufficient permissions to access this page.')
);
}}}
Which is triggered by user_can_access_admin_page() in `wp-
admin/includes/plugin.php` at line 1703
{{{#!php
if ( isset( $_wp_submenu_nopriv[$key][$pagenow] ) )
return false;
}}}
If the user have permission to add regular posts, the above condition
returns true.
Removing 'show_in_menu' and the subscriber can add new CPT.
Possible solutions:
1) Add aditional submenu page in `wp-includes/post.php` function
`_add_post_type_submenus()`, with `post-new.php?post_type=$ptype`:
{{{#!php
add_submenu_page( $ptype_obj->show_in_menu,
$ptype_obj->labels->add_new_item, $ptype_obj->labels->add_new,
$ptype_obj->cap->edit_posts, "post-new.php?post_type=$ptype" );
}}}
2) Modify user_`can_access_admin_page()` to allow user, or
`get_admin_page_parent()` to define the admin page as parent.
At the moment, is possible to workaround adding the post-new menus in
'admin_menu' hook:
{{{#!php
add_action( 'admin_menu', 'trac16808_add_post_type_submenus', 99 );
function trac16808_add_post_type_submenus() {
foreach ( get_post_types( array( 'show_ui' => true ) ) as $ptype )
{
$ptype_obj = get_post_type_object( $ptype );
// Sub-menus only.
if ( ! $ptype_obj->show_in_menu ||
$ptype_obj->show_in_menu === true )
continue;
add_submenu_page( $ptype_obj->show_in_menu,
$ptype_obj->labels->add_new, $ptype_obj->labels->add_new_item,
$ptype_obj->cap->edit_posts, "post-new.php?post_type=$ptype" );
}
}
}}}
This will pass the verifications in `user_can_access_admin_page()`;
--
Ticket URL: <https://core.trac.wordpress.org/ticket/16808#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list