[wp-trac] [WordPress Trac] #39745: edit.php inaccessible when post type has no submenu

Tue Jan 31 00:47:44 UTC 2017

#39745: edit.php inaccessible when post type has no submenu
--------------------------------+-----------------------------
 Reporter:  jmeit               |      Owner:
     Type:  defect (bug)        |     Status:  new
 Priority:  normal              |  Milestone:  Awaiting Review
Component:  Role/Capability     |    Version:  4.7.2
 Severity:  normal              |   Keywords:
  Focuses:  ui, administration  |
--------------------------------+-----------------------------
 == Problem ==
 In the Dashboard menu, you see links to your custom post types. If you
 take away a role/user's 'capability' to create_posts, the 'Add New' button
 disappears from that post type's submenu, which is expected. '''But''',
 the side-effect is that it makes //edit.php?post_type=my_cpt//
 inaccessible.

 I discovered that it was due to the lack of a submenu by grepping for the
 error.
 The error message comes from the bottom of '''wp-
 admin/includes/menu.php'''.
 I followed that to {{{user_can_access_admin_page()}}} in '''wp-
 admin/includes/plugin.php:1697'''
 and then to {{{get_admin_page_parent()}}} in '''wp-
 admin/includes/plugin.php:1509'''
 My interpretation, from following the execution with xdebug, is that when
 the {{{global $submenu}}} is empty, no page parent is found, and
 {{{user_can_access_admin_page()}}} looks for the entry
 {{{$_wp_menu_nopriv[$pagenow]}}}, but {{{$pagenow}}} contains edit.php,
 instead of the page that was being accessed, ''edit.php?post_type=my_cpt''
 .

 == To Reproduce ==
 1. Create custom post type 'my_cpt' with
 {{{
 'capability_type' => 'my_cpt',
 'capabilities' => array('create_posts' => 'create_my_cpts'),
 'supports' => array('author','title') //'author' is the important one for
 testing
  }}}
 2. Add a role 'my_role' with caps {{{'edit_my_cpts' => true}}} and
 {{{'create_my_cpts' => false}}}.
 3. Add a user and give it the role 'my_role'
 4. Add a new my_cpt, and change it's author to the new user.
 5. Login to the dashboard as the new user. The menu item for my_cpt will
 show up, but will not have a submenu. This is because you've set
 'create_my_cpts' to ''false'', which removes the one submenu item that
 there would ordinarily be, 'Add New'.
 6. Click the menu item to view the list of my_cpts.
 You are met with the dreaded "Sorry, you are not allowed to access this
 page."
 However, if you go directly to //my.wordpress.site/wp-
 admin/post.php?post='''[post id]'''&action=edit// you'll see that the user
 can still edit its my_cpt post.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/39745>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform