From 541dbb2711fa74e990d1d98d082cd608aae4c4de Mon Sep 17 00:00:00 2001 From: John Blackbourn <johnbillion@git.wordpress.org> Date: Tue, 15 Sep 2015 10:27:29 +0000 Subject: [PATCH] Remove the ability to view the post listing screen and post editing screen for post types with `show_ui` set to `false`. It is unexpected and unintended behaviour that this is allowed. If your plugin or site does rely on this behaviour, the arguments that are passed to `register_post_type()` should be altered so that `show_ui` is `true`, and arguments such as `show_in_menu`, `show_in_nav_menus`, and `show_in_admin_bar` are `false`. Fixes #33763 Props swissspidy, johnbillion Built from https://develop.svn.wordpress.org/trunk@34177 git-svn-id: http://core.svn.wordpress.org/trunk@34145 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/edit.php | 4 ++++ wp-admin/post.php | 4 ++++ wp-includes/link-template.php | 4 ++++ wp-includes/version.php | 2 +- 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/wp-admin/edit.php b/wp-admin/edit.php index 782b61dc42..b24684691d 100644 --- a/wp-admin/edit.php +++ b/wp-admin/edit.php @@ -12,6 +12,10 @@ require_once( dirname( __FILE__ ) . '/admin.php' ); if ( ! $typenow ) wp_die( __( 'Invalid post type' ) ); +if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) { + wp_die( __( 'You are not allowed to edit posts in this post type.' ) ); +} + if ( 'attachment' === $typenow ) { if ( wp_redirect( admin_url( 'upload.php' ) ) ) { exit; diff --git a/wp-admin/post.php b/wp-admin/post.php index 2fcef19ba2..ba43eb1c2b 100644 --- a/wp-admin/post.php +++ b/wp-admin/post.php @@ -109,6 +109,10 @@ case 'edit': if ( ! $post_type_object ) wp_die( __( 'Unknown post type.' ) ); + if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) { + wp_die( __( 'You are not allowed to edit posts in this post type.' ) ); + } + if ( ! current_user_can( 'edit_post', $post_id ) ) wp_die( __( 'You are not allowed to edit this item.' ) ); diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index ce041a05b5..fcaa834886 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -1228,6 +1228,10 @@ function get_edit_post_link( $id = 0, $context = 'display' ) { if ( !current_user_can( 'edit_post', $post->ID ) ) return; + if ( ! in_array( $post->post_type, get_post_types( array( 'show_ui' => true ) ) ) ) { + return; + } + /** * Filter the post edit link. * diff --git a/wp-includes/version.php b/wp-includes/version.php index 2c00565d05..ee02408f74 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.4-alpha-34176'; +$wp_version = '4.4-alpha-34177'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.