[wp-trac] [WordPress Trac] #29714: user_can_access_admin_page() returning false for edit.php?post_type=CPT

Sat Sep 20 12:30:27 UTC 2014

#29714: user_can_access_admin_page() returning false for edit.php?post_type=CPT
-----------------------------+-----------------------------
 Reporter:  bobbingwide      |      Owner:
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Role/Capability  |    Version:  4.0
 Severity:  normal           |   Keywords:
  Focuses:                   |
-----------------------------+-----------------------------
 I have a Custom Post Type (CPT) for which I intend to allow registered
 subscribers the capability to edit posts, but not create posts or manage
 the custom taxonomies for the posts.

 In this example the CPT is "oik_site" - plural label "Sites"

 When the registered user is logged and viewing the Dashboard then the
 admin menu correctly shows the only available option; Sites - which
 invokes wp-admin/edit.php?post_type=oik_site

 When the user clicks on the link WordPress dies with "You do not have
 sufficient permissions to access this page."

 The expected result is that the user should be shown the list of sites,
 without the Add New button.

 I have tracked the problem down to what I believe to be a bug in
 user_can_access_admin_page().

 The "oik_site" CPT is defined with
 {{{
   $post_type_args['capability_type'] = 'oik_site';
   $post_type_args['capabilities'] = array( 'create_posts' =>
 'create_oik_sites' );
   $post_type_args['map_meta_cap'] = true;
 }}}

 The 'create_posts' capability is defined as 'create_oik_sites', overriding
 the default 'edit_oik_sites'.

 Subscribers are given the 'edit_oik_sites' capability only.

 '''Where it goes wrong...'''

 The processing in wp-admin/includes/menu.php has correctly checked the
 user's capability to "edit_oik_sites" and the admin menu has been
 simplified so that the 'All Sites' sub menu item is no longer displayed.
 Since the user doesn't have either create_oik_sites nor manage_categories
 the Add New and Custom Taxonomy submenu items have been deleted.

 Everything seems fine until we call user_can_access_admin_page().
 Here it determines $parent to be null and $pagenow to be "edit.php".

 $wp_menu_nopriv is correctly set to the menu items that the subscriber
 cannot use
 {{{
     [edit.php] => 1
     [upload.php] => 1
     [link-manager.php] => 1
     [edit.php?post_type=page] => 1
     [edit-comments.php] => 1
     ...
 }}}

 Note: edit.php?post_type=oik_site IS NOT SET in the $wp_menu_nopriv array.

 Since these tests are true the function returns false.
 {{{
  if ( empty( $parent) ) {
     if ( isset( $_wp_menu_nopriv[$pagenow] ) )
       return false;
 }}}

 Had the second test taken into account the post_type being edited then
 this would not have failed.

 '''Proposed fix'''

 Adding the following code after the test on empty( $parent ) gives the
 expected results.

 {{{
     if ( $pagenow == "edit.php" && isset( $_REQUEST['post_type'] ) ) {
       $pagenow .= '?post_type=' . $_REQUEST['post_type' ];
     }
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/29714>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform