[wp-trac] [WordPress Trac] #39745: edit.php inaccessible when post type has no submenu
WordPress Trac
noreply at wordpress.org
Tue Jan 31 00:47:44 UTC 2017
#39745: edit.php inaccessible when post type has no submenu
--------------------------------+-----------------------------
Reporter: jmeit | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: 4.7.2
Severity: normal | Keywords:
Focuses: ui, administration |
--------------------------------+-----------------------------
== Problem ==
In the Dashboard menu, you see links to your custom post types. If you
take away a role/user's 'capability' to create_posts, the 'Add New' button
disappears from that post type's submenu, which is expected. '''But''',
the side-effect is that it makes //edit.php?post_type=my_cpt//
inaccessible.
I discovered that it was due to the lack of a submenu by grepping for the
error.
The error message comes from the bottom of '''wp-
admin/includes/menu.php'''.
I followed that to {{{user_can_access_admin_page()}}} in '''wp-
admin/includes/plugin.php:1697'''
and then to {{{get_admin_page_parent()}}} in '''wp-
admin/includes/plugin.php:1509'''
My interpretation, from following the execution with xdebug, is that when
the {{{global $submenu}}} is empty, no page parent is found, and
{{{user_can_access_admin_page()}}} looks for the entry
{{{$_wp_menu_nopriv[$pagenow]}}}, but {{{$pagenow}}} contains edit.php,
instead of the page that was being accessed, ''edit.php?post_type=my_cpt''
.
== To Reproduce ==
1. Create custom post type 'my_cpt' with
{{{
'capability_type' => 'my_cpt',
'capabilities' => array('create_posts' => 'create_my_cpts'),
'supports' => array('author','title') //'author' is the important one for
testing
}}}
2. Add a role 'my_role' with caps {{{'edit_my_cpts' => true}}} and
{{{'create_my_cpts' => false}}}.
3. Add a user and give it the role 'my_role'
4. Add a new my_cpt, and change it's author to the new user.
5. Login to the dashboard as the new user. The menu item for my_cpt will
show up, but will not have a submenu. This is because you've set
'create_my_cpts' to ''false'', which removes the one submenu item that
there would ordinarily be, 'Add New'.
6. Click the menu item to view the list of my_cpts.
You are met with the dreaded "Sorry, you are not allowed to access this
page."
However, if you go directly to //my.wordpress.site/wp-
admin/post.php?post='''[post id]'''&action=edit// you'll see that the user
can still edit its my_cpt post.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/39745>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list