[wp-hackers] How to prevent "You do not have sufficient permissions to access this page."

Dion Hulse (dd32) wordpress at dd32.id.au
Mon May 28 23:47:06 UTC 2012


It would be best to send a nonce no matter where you're posting the data to.
you shouldn't ever simply rely on a cap check, you should use a cap
check to make sure the user is allowed to do it, and a nonce check to
make sure the user actually requested it.

On 29 May 2012 00:29, Mike Walsh <mpwalsh8 at gmail.com> wrote:
> On Mon, May 28, 2012 at 1:21 PM, Dion Hulse (dd32) <wordpress at dd32.id.au>wrote:
>
>> I'd suggest one of 2 things:
>>  1. Use admin-post.php for callbacks, and redirect back to the plugin
>> page afterwards
>> or
>>  2. Register the pages you need, and use the load-<pagehook> action to
>> process form events from that page. The load hook is run before any
>> admin template code is run.
>>
>> I'm not sure if I'm missing something here though :)
>>
>>
> Just to clarify, if I use admin-post.php, I need to add a nonce to the URL,
> correct?
>
> Mike
> --
> Mike Walsh - mpwalsh8 at gmail.com
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list