[wp-trac] [WordPress Trac] #16808: Insufficient permissions for custom post type management and custom role/caps

[WordPress Trac]

#16808: Insufficient permissions for custom post type management and custom
role/caps
-----------------------------+-------------------------
 Reporter:  Genesis2001      |       Owner:
     Type:  defect (bug)     |      Status:  closed
 Priority:  normal           |   Milestone:
Component:  Role/Capability  |     Version:  3.1
 Severity:  normal           |  Resolution:  worksforme
 Keywords:                   |     Focuses:
-----------------------------+-------------------------

Comment (by alexkoti):

 Hi, I managed to create a test plugin that can reproduce the problem.
 Tested in WordPress 4.1 running Twenty Fifteen theme, without other
 plugins.

 When a user have only the cap required for CPT (and do not have permission
 to create default posts), and at the same time, this CPT is configured
 with 'show_in_menu' to be displayed in another admin page, the user will
 not be allowed to add a new CPT.

 The error is show at line 319 in `wp-admin/includes/menu.php`:
 {{{#!php
 wp_die( __('You do not have sufficient permissions to access this page.')
 );
 }}}

 Which is triggered by user_can_access_admin_page() in `wp-
 admin/includes/plugin.php` at line 1703
 {{{#!php
 if ( isset( $_wp_submenu_nopriv[$key][$pagenow] ) )
         return false;
 }}}
 If the user have permission to add regular posts, the above condition
 returns true.
 Removing 'show_in_menu' and the subscriber can add new CPT.

 Possible solutions:
 1) Add aditional submenu page in `wp-includes/post.php` function
 `_add_post_type_submenus()`, with `post-new.php?post_type=$ptype`:
 {{{#!php
 add_submenu_page( $ptype_obj->show_in_menu,
 $ptype_obj->labels->add_new_item, $ptype_obj->labels->add_new,
 $ptype_obj->cap->edit_posts, "post-new.php?post_type=$ptype" );
 }}}

 2) Modify user_`can_access_admin_page()` to allow user, or
 `get_admin_page_parent()` to define the admin page as parent.

 At the moment, is possible to workaround adding the post-new menus in
 'admin_menu' hook:
 {{{#!php
 add_action( 'admin_menu', 'trac16808_add_post_type_submenus', 99 );
 function trac16808_add_post_type_submenus() {
         foreach ( get_post_types( array( 'show_ui' => true ) ) as $ptype )
 {
                 $ptype_obj = get_post_type_object( $ptype );
                 // Sub-menus only.
                 if ( ! $ptype_obj->show_in_menu ||
 $ptype_obj->show_in_menu === true )
                         continue;
                 add_submenu_page( $ptype_obj->show_in_menu,
 $ptype_obj->labels->add_new, $ptype_obj->labels->add_new_item,
 $ptype_obj->cap->edit_posts, "post-new.php?post_type=$ptype" );
         }
 }
 }}}
 This will pass the verifications in `user_can_access_admin_page()`;

--
Ticket URL: <https://core.trac.wordpress.org/ticket/16808#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform