#4935
Vladimir
Keymaster

Hi,

UpDraftPlus Backup/Restore plugin protects its “Settings->UpDraftPlus Backups” menu item with ‘manage_options’ user capability. It uses a lot of other WordPress built-in user capabilities. Look:


$ grep -rn 'current_user_can('
admin.php:370:                  if ('index.php' == $pagenow && current_user_can('update_plugins') && (!file_exists(UPDRAFTPLUS_DIR.'/udaddons') || (defined('UPDRAFTPLUS_FORCE_DASHNOTICE') && UPDRAFTPLUS_FORCE_DASHNOTICE))) {
admin.php:829:          if (!UpdraftPlus_Options::user_can_manage() || (!current_user_can('update_core') && !current_user_can('update_plugins') && !current_user_can('update_themes'))) return;
admin.php:960:                          if (!current_user_can('update_plugins')) return;
admin.php:962:                          if (!current_user_can('update_themes')) return;
admin.php:1314:                 if (!current_user_can('update_plugins') && !current_user_can('update_themes')) return;
admin.php:1316:                 if (!current_user_can('update_plugins')) return;
templates/wp-admin/advanced/site-info.php:90:           $updraftplus_admin->settings_debugrow(__('Plugins for debugging:', 'updraftplus'), '<a href="'.wp_nonce_url(self_admin_url('update.php?action=install-plugin&updraftplus_noautobackup=1&plugin=wp-crontrol'), 'install-plugin_wp-crontrol').'">WP Crontrol</a> | <a href="'.wp_nonce_url(self_admin_url('update.php?action=install-plugin&updraftplus_noautobackup=1&plugin=sql-executioner'), 'install-plugin_sql-executioner').'">SQL Executioner</a> | <a href="'.wp_nonce_url(self_admin_url('update.php?action=install-plugin&updraftplus_noautobackup=1&plugin=advanced-code-editor'), 'install-plugin_advanced-code-editor').'">Advanced Code Editor</a> '.(current_user_can('edit_plugins') ? '<a href="'.self_admin_url('plugin-editor.php?file=updraftplus/updraftplus.php').'">(edit UpdraftPlus)</a>' : '').' | <a href="'.wp_nonce_url(self_admin_url('update.php?action=install-plugin&updraftplus_noautobackup=1&plugin=wp-filemanager'), 'install-plugin_wp-filemanager').'">WP Filemanager</a>');
central/listener.php:179:               // Make it so that current_user_can() checks can apply + work
central/modules/updates.php:11:         if (!empty($updates['plugins']) && !current_user_can('update_plugins')) return $this->_generic_error_response('updates_permission_denied', 'update_plugins');
central/modules/updates.php:13:         if (!empty($updates['themes']) && !current_user_can('update_themes')) return $this->_generic_error_response('updates_permission_denied', 'update_themes');
central/modules/updates.php:15:         if (!empty($updates['core']) && !current_user_can('update_core')) return $this->_generic_error_response('updates_permission_denied', 'update_core');
central/modules/updates.php:93:         if (!current_user_can('update_plugins')) {
central/modules/updates.php:185:                if (!current_user_can('update_core')) {
central/modules/updates.php:281:                if (!current_user_can('update_themes')) {
central/modules/updates.php:537:                if (!current_user_can('update_plugins') && !current_user_can('update_themes') && !current_user_can('update_core')) return $this->_generic_error_response('updates_permission_denied');
central/modules/updates.php:546:                if (current_user_can('update_plugins')) {
central/modules/updates.php:589:                if (current_user_can('update_themes')) {
central/modules/updates.php:625:                if (current_user_can('update_core')) {
central/modules/plugin.php:45:          if (!current_user_can('activate_plugins'))
central/modules/plugin.php:79:          if (!current_user_can('install_plugins') || !current_user_can('activate_plugins'))
central/modules/users.php:419:          if (!current_user_can('create_users') && !is_super_admin()) {
central/modules/users.php:439:          if (isset($user['site_id']) && !current_user_can('manage_network_users')) {
central/modules/users.php:501:          if (!current_user_can('delete_users') && !is_super_admin()) {
central/modules/users.php:550:          if (!current_user_can('edit_users') && !is_super_admin() && get_current_user_id() !== $user["ID"]) {
central/modules/posts.php:274:          if (!current_user_can('edit_posts')) {
central/modules/posts.php:338:          if (!current_user_can('edit_posts') && !current_user_can('edit_other_posts')) {
central/modules/posts.php:400:          if (!current_user_can('delete_posts')) {
central/modules/posts.php:469:          if (!current_user_can('manage_categories')) {
central/modules/posts.php:532:          if (!current_user_can('manage_categories')) {
central/modules/posts.php:581:          if (!current_user_can('manage_categories')) {
central/modules/core.php:178:                   if (!current_user_can('update_plugins') && !current_user_can('update_themes') && !current_user_can('update_core')) return $this->_generic_error_response('updates_permission_denied');
options.php:10:         $user_can_manage = current_user_can(apply_filters('option_page_capability_updraft-options-group', 'manage_options'));