Description
The Experiments Settings page is available to users with edit_posts, however the page is for managing site-wide options. Under the hood, these settings use the Settings API which checks manage_options so this isn't strictly a security issue from what I can see, however the page shouldn't be shown to users who cannot edit the options.
If it's intentional to show this so that users can see which settings are enabled, the Save button should be removed and the fields marked as disabled.
Step-by-step reproduction instructions
- Grant a user the Editor role
- Log in/switch to the user
- Observe the Gutenberg > Experiments page is visible in the menu.
- Observe that the page can be viewed, despite not having permissions to edit the settings.
Screenshots, screen recording, code snippet
No response
Environment info
No response
Please confirm that you have searched existing issues in the repo.
Please confirm that you have tested with all plugins deactivated except Gutenberg.
Description
The Experiments Settings page is available to users with
edit_posts, however the page is for managing site-wide options. Under the hood, these settings use the Settings API which checksmanage_optionsso this isn't strictly a security issue from what I can see, however the page shouldn't be shown to users who cannot edit the options.If it's intentional to show this so that users can see which settings are enabled, the Save button should be removed and the fields marked as disabled.
Step-by-step reproduction instructions
Screenshots, screen recording, code snippet
No response
Environment info
No response
Please confirm that you have searched existing issues in the repo.
Please confirm that you have tested with all plugins deactivated except Gutenberg.