[wp-trac] [WordPress Trac] #48511: issue with custom post type capabilities
WordPress Trac
noreply at wordpress.org
Wed Nov 6 14:14:55 UTC 2019
#48511: issue with custom post type capabilities
-----------------------------+---------------------------------------
Reporter: mmenciassi | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Role/Capability | Version: 5.2.4
Severity: major | Keywords: needs-testing needs-patch
Focuses: administration |
-----------------------------+---------------------------------------
= The need =
The WP installation should have a Custom Post Type (i.e. promo)
We need to have two kind of users, one that can create, update and publish
a new promo post, and another one that can only view and update pending
promo post and save a new revision.
To do that I tried to create a custom post type both with a plugin and
rightly with code written in the theme function.php file.
= The Issue =
The users that have only the update capability (not the create one), can
view the link in the admin menu with the "Custom Post type" list of items,
but when they click over it they receive a message: 'Sorry, you are not
allowed to access this page.' with 403 status.
This behaviour is strange.
The following URL returns 403 status
/wp-admin/edit.php?post_type=promo_toy
but contrary to the previous page, access to a single post is allowed
for example, the following url works fine
/wp-admin/post.php?post=9&action=edit
= what's happened? =
It happens only when the Custom Post has only 1 subpage.
In the case above, the user doesn't have the creation capability, so the
"add new" page is not added in submenu, so the custom post type page have
only one subpage "All promo toy" that show all the posts of this kind of
post type.
but...
in /wp-admin/includes/menu.php there is a step that removes the submenu
page if there is only one submenu and it has same destination as the
parent (around row 170)
Well, I receive a 403 status only in the case there is only one submenu
page (and it was removed)
if I add (via function.php) a fake submenu page, for example and info
page, the link to the post listing works fine without checks failure.
{{{#!php
<?php
function promo_toy_info() {
}
function info_pages() {
add_submenu_page( 'edit.php?post_type=promo_toy', 'info page',
'info page', 'edit_others_promo_toys', 'promo-toy-info',
'promo_toy_info');
}
add_action('admin_menu', 'info_pages');
}}}
The same thing happens if I comment the code in the point that removes the
submenu page (if is only one and it has the same link of the parent)
''if I comment this point in /wp-admin/includes/menu.php it works fine''
{{{#!php
<?php
/*
* If there is only one submenu and it is has same destination as
the parent,
* remove the submenu.
*/
if ( ! empty( $submenu[ $data[2] ] ) && 1 == count( $submenu[
$data[2] ] ) ) {
$subs = $submenu[ $data[2] ];
$first_sub = reset( $subs );
if ( $data[2] == $first_sub[2] ) {
unset( $submenu[ $data[2] ] );
}
}
}}}
= the custom post type creation =
"here the creation and setting of the custom post type inside
functions.php"
{{{#!php
<?php
function custom_init() {
$args = [
"labels" => [
"name" => "Promos Toy",
"singular_name" => "Promo Toy",
"all_items" => "All Promos Toy",
"add_new_item" => "Add new Promo Toy",
"edit_item" => "Edit Promo Toy",
"new_item" => "New Promo Toy",
"view_item" => "View Promo Toy",
"search_items" => "Search Promos Toy",
"not_found" => "No Promos Toy found.",
"not_found_in_trash" => "No Promos Toy
found in trash."
],
"description" => "Test Post Type",
"public" => false,
"publicly_queryable" => true,
"show_ui" => true,
"show_in_nav_menus" => true,
"has_archive" => false,
"show_in_menu" => true,
"show_in_rest" => true,
"rest_base" => "",
"rest_controller_class" => "",
"exclude_from_search" => true,
"capability_type" => array("promo_toy",
"promo_toys"),
"map_meta_cap" => true,
"hierarchical" => false,
"rewrite" => "",
"menu_position" => "",
"menu_icon" => "dashicons-admin-page",
"query_var" => true,
"supports" => ["title", "revisions", "author"],
"taxonomies" => [],
"capabilities" => [
"edit_post" => "edit_promo_toy",
"edit_others_posts" =>
"edit_others_promo_toys",
"edit_private_posts" =>
"edit_private_promo_toys",
"edit_published_posts" =>
"edit_published_promo_toys",
"read_private_posts" =>
"read_private_promo_toys",
"delete_post" => "delete_promo_toy",
"delete_others_posts" =>
"delete_others_promo_toys",
"delete_private_posts" =>
"delete_private_promo_toys",
"delete_published_posts" =>
"delete_published_promo_toys",
"publish_posts" => "publish_promo_toys",
"create_posts" => "create_promo_toys"
]
];
$res = register_post_type("promo_toy", $args);
}
add_action( 'init', 'custom_init' );
}}}
= The users capabilities =
The **admin** has **all** the custom post type **capabilities**
The **user** that could make new review but can't create or publish it has
these capabilities:
**read, edit_promo_toys, edit_others_promo_toys**
the capabilities are assigned via plugin, I tried to use both **Members**
(v. 2.2.0) and **User Role Editor** (v. 4.52) the results is the same.
= Plugin installed =
For this test I used a brand new WP installation (last version) with only
one plugin: "members".
--
Ticket URL: <https://core.trac.wordpress.org/ticket/48511>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list