Skip to:
Content
Pages
Categories
Search
Top
Bottom

Re: BP plugins are visible and activatable for non-admin users in their consoles


John James Jacoby
Keymaster

@johnjamesjacoby

14 years ago

The visibility of the Admin nav-item is a side effect of “Site Wide: true” but it isn’t the correct way to fix this.

The “Site Wide” meta value doesn’t have anything to do with users, roles, or capabilities. It’s only there to tell WordPress that plugin can act as the umbrella that covers all blogs/sites in a network.

The offending plugins are simply just not using the correct methods to add their navigation to the Admin area.

WordPress has many wrappers to help make this easy for plugin authors:

add_management_page

add_options_page

add_theme_page

add_users_page

add_dashboard_page

add_posts_page

add_media_page

add_links_page

add_pages_page

add_comments_page

All of the above functions are passed an $access_level variable, that can be set to a “current_user_can” value to limit its access.

I’d drop a message to the authors of the plugins that are showing their settings to unauthorized users. That isn’t just inconvenient/embarrassing/confusing, it’s a security risk.

Forums

Views

Feeds

Tags

404 activation Activity activity activity stream admin admin bar ajax avatar avatars bbPress blog blogs Buddypress buddypress bug child theme comments css custom directory edit email error facebook fatal error filter forum forums friends group groups header help installation link links login member members menu message Messages multisite navigation notification notifications page pages php plugin plugins post posts privacy private problem profile Profile Fields profiles redirect register registration search sidebar spam template theme themes update upgrade upload URL user username users widget widgets wordpress xprofile
Skip to toolbar