[wp-trac] [WordPress Trac] #14365: Admin custom option screen not saved unless user manage_options capability
WordPress Trac
wp-trac at lists.automattic.com
Tue Jul 20 18:54:02 UTC 2010
#14365: Admin custom option screen not saved unless user manage_options capability
----------------------------+-----------------------------------------------
Reporter: markauk | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Administration | Version: 3.0
Severity: normal | Keywords:
----------------------------+-----------------------------------------------
I have a custom options screen. The menu and sub-menu pages for that
screen are set to show only if a user has a custom capability
('be_super_editor') in this case.
The options screen shows or not as expected if a user has or does not have
the 'be_super_editor' capability.
However, the options cannot be updated unless the user has
'manage_options' capability as well. This seems to be wrong for two
reasons:-
(1) if a capability allows an options screen to be accessed, it is
reasonable to assume that the user should be able to make changes to that
screen.
(2) giving these users 'manage_options' capability is not a good idea as
that allows them to do other things that they shouldn't be able to do
(e.g. access wp-admin/options.php directly).
Changing line 30 of wp-admin/options.php from:-
{{{
if ( !current_user_can('manage_options') )
}}}
to:-
{{{
if ( !current_user_can('manage_options') && 'update' != $action )
}}}
fixes the problem, though I don't know enough about the inner workings of
WP security to say if this creates any further security/permissions
issues.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14365>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list