Ticket #6248 (closed defect: fixed)

Opened 8 months ago

Last modified 8 months ago

WP permission issue for plugin updater

Reported by: Denis-de-Bernardy Assigned to: anonymous
Priority: normal Milestone: 2.5
Component: Administration Version: 2.5
Severity: normal Keywords: has-patch dev-feedback
Cc:

Description

in WP 2.5, trunk, wp-admin/update.php, things start like this: 

if ( !current_user_can('edit_plugins') )
                wp_die('<p>'.__('You do not have sufficient permissions to update plugins for this blog.').'</p>');

I've disabled the edit_plugins, edit_themes and edit_files capabilities from my administrator role. I do the same for each of my customers, because I don't want them to see scary looking "Edit [File]" screens in their admin area. I'm guessing others do the same. Anyway...

Could it be possible to change the above to: 

if ( !( current_user_can('edit_plugins') || current_user_can('administrator') ) )
                wp_die('<p>'.__('You do not have sufficient permissions to update plugins for this blog.').'</p>');

And/or, change the message on the plugins screen as necessary, so that only relevant users get prompted to upgrade their plugins automatically? (i.e. change "There is a new version of [Plugin] available. Download version [X] here or upgrade automatically." to "There is a new version of [Plugin] available. Download version [X] here.")

Attachments

6248.diff (1.2 kB) - added by DD32 on 03/20/08 23:22:51.
6248.2.diff (1.4 kB) - added by DD32 on 03/20/08 23:27:23.

Change History

03/16/08 16:59:33 changed by Denis-de-Bernardy

Adding to this one, it would also be sweet to check if the package variable of the response is set before suggesting the automated upgrade. 

function wp_plugin_update_row( $file ) {
	if ( !( current_user_can('edit_plugins') || current_user_can('administrator') ) ) return;

	global $plugin_data;
	$current = get_option( 'update_plugins' );
	if ( !isset( $current->response[ $file ] ) )
		return false;

	$r = $current->response[ $file ];

	echo "<tr><td colspan='5' class='plugin-update'>";

if ( $r->package )
{
	printf( __('There is a new version of %1$s available. <a href="%2$s">Download version %3$s here</a> or <a href="%4$s">upgrade automatically</a>.'), $plugin_data['Name'], $r->url, $r->new_version, wp_nonce_url("update.php?action=upgrade-plugin&amp;plugin=$file", 'upgrade-plugin_' . $file) );
}
else
{
	printf( __('There is a new version of %1$s available. <a href="%2$s">Download version %3$s here</a>.'), $plugin_data['Name'], $r->url, $r->new_version );
}
	echo "</td></tr>";
}

That way, this plugin will work as expected in its current implementation, and its next one:

http://www.semiologic.com/software/wp-fixes/version-checker/

Thanks!

03/16/08 23:35:07 changed by DD32

What permission is used for access to the plugins page? manage_plugins?

Alternativly, Could add a update_plugins capability, that way it can be restricted on a per-role use by the role management plugins?

I'd support only showing the upgrade if a plugin package is available, However, for all intents and purposes, all wordpress.org plugins should have it available.

I dont think anyone has even thought of supporting the 3rd party plugins yet.

If anyone can suggest places for hooks and/or filters in the updater code that could be useful.

03/17/08 00:04:12 changed by DD32

  • keywords set to dev-feedback reporter-feedback 2nd-opinion.

03/18/08 13:48:19 changed by Denis-de-Bernardy

The version checker plugin update will be supporting upgrades from 3rd party sites out of the box. and it works fine as far as I can tell.

There's no need for any extra hooks. At one point, I considered asking for something like $response = apply_filters($response) before updating the 'plugins_update' option, but catching the update_option_plugins_update hook or the load-plugins.php hook works too.

The permission problem raised above is very real, however, as is the package link problem.

03/20/08 23:22:51 changed by DD32

  • attachment 6248.diff added.

03/20/08 23:27:06 changed by DD32

  • keywords changed from dev-feedback reporter-feedback 2nd-opinion to has-patch dev-feedback.

Patch attached for the update url.

2nd patch attached to not offer automatic upgrade if user doesnt have edit_plugins permission.

I personally think upgrading the plugin is editing the plugin, and thats why i've left it attached to that permission. However, If devs feel it should be linked to a different permission, please step in and make it happen..

03/20/08 23:27:23 changed by DD32

  • attachment 6248.2.diff added.

03/20/08 23:43:54 changed by ryan

  • status changed from new to closed.
  • resolution set to fixed.

(In [7433]) Don't show plugin upgrade notice if user cannot edit_plugins. Props DD32. fixes #6248

03/20/08 23:54:17 changed by ryan

(In [7434]) Fix logic inversion. Props DD32. fixes #6248

03/21/08 11:40:33 changed by Denis-de-Bernardy

thanks dd32!