[wp-trac] [WordPress Trac] #33763: Post types with show_ui set to false should not be accessible via the admin area
WordPress Trac
noreply at wordpress.org
Mon Sep 7 08:19:17 UTC 2015
#33763: Post types with show_ui set to false should not be accessible via the admin
area
-------------------------------+-------------------------------------
Reporter: johnbillion | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Posts, Post Types | Version: 2.9
Severity: normal | Keywords: needs-patch 2nd-opinion
Focuses: administration |
-------------------------------+-------------------------------------
This might be a contentious issue. It's certainly not expected behaviour,
but I suspect there are sites which rely on its behaviour.
If a custom post type is registered with `show_ui` set to `false`, it's
still possible to see the post type listing screen for the post type by
manually navigating to the correct URL (eg. `example.com/wp-
admin/edit.php?post_type=my_hidden_post_type`). From there you can access
the post editing screen for the posts and update them.
If I register a post type without a UI, I do not expect to be able to
access a UI for the post type simply by hacking the URL.
The post type listing UI and post editing UI for such a post type should
be disabled. In order to disable this UI currently, you need to set the
post type's capabilities to a capability which your users don't have,
which has the side effect of preventing posts from being created/edited
via other means, such as XML-RPC.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33763>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list