Skip to content

Experiments Settings page is available to edit_posts, should be manage_options #66117

New issue
New issue
Closed
#66118
Closed
Experiments Settings page is available to edit_posts, should be manage_options#66117
#66118
Assignees
rmccue
Labels
[Status] In ProgressTracking issues with work in progress[Type] BugAn existing feature does not function as intended
@rmccue

Description

@rmccue
rmccue
opened on Oct 15, 2024

Description

The Experiments Settings page is available to users with edit_posts, however the page is for managing site-wide options. Under the hood, these settings use the Settings API which checks manage_options so this isn't strictly a security issue from what I can see, however the page shouldn't be shown to users who cannot edit the options.

If it's intentional to show this so that users can see which settings are enabled, the Save button should be removed and the fields marked as disabled.

Step-by-step reproduction instructions

  1. Grant a user the Editor role
  2. Log in/switch to the user
  3. Observe the Gutenberg > Experiments page is visible in the menu.
  4. Observe that the page can be viewed, despite not having permissions to edit the settings.

Screenshots, screen recording, code snippet

No response

Environment info

No response

Please confirm that you have searched existing issues in the repo.

  • Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

  • Yes

Metadata

Metadata

Assignees

Labels

[Status] In ProgressTracking issues with work in progress[Type] BugAn existing feature does not function as intended

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions