If user has “edit_dashboard” capability he has access to the configuration parameters of widgets which included to his dashboard. If widget has some parameters to tune its work, such user is able to change them. Let’s see. Go to WordPress dashboard and move your mouse pointer to the right top corner of the widget box. Let’s take for example a “WordPress Development Blog” widget which is accessible to all logged-in users. Do you look a small down headed arrow? As you may know already it serves to collapse/expand widget box. Move your mouse to the left of that arrow. If you have “edit_dashboard” capability you will see that “Configure” link appears there.
Find that link at the image below:
If you click on “Configure” link of the “WordPress Development Blog” you will see its configuration panel:
In order to approve my conclusion about “edit_dashboard” capability I scanned all PHP files included to WordPress installation package on the word “edit_dashboard” occurrence. It was found in the only place – line #142 of ‘wp-admin/includes/dashboard.php’ file. I include the quote from it below for your further reference:
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 | function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_callback = null ) { $screen = get_current_screen(); global $wp_dashboard_control_callbacks; if ( $control_callback && current_user_can( 'edit_dashboard' ) && is_callable( $control_callback ) ) { $wp_dashboard_control_callbacks[$widget_id] = $control_callback; if ( isset( $_GET['edit'] ) && $widget_id == $_GET['edit'] ) { list($url) = explode( '#', add_query_arg( 'edit', false ), 2 ); $widget_name .= ' <span class="postbox-title-action">' . __( 'Cancel' ) . '</span>'; $callback = '_wp_dashboard_control_callback'; } else { list($url) = explode( '#', add_query_arg( 'edit', $widget_id ), 2 ); $widget_name .= ' <span class="postbox-title-action">' . __( 'Configure' ) . '</span>'; } } |
By default “edit_dashbord” capability is included to the “Administrator” role only.
Русский перевод этой статьи доступен по этой ссылке.
Tags: capability, Security, WordPress