From a923d36085a7aa74b1c504c6bfccfa7afa4fc738 Mon Sep 17 00:00:00 2001
From: John Blackbourn <johnbillion@git.wordpress.org>
Date: Tue, 15 Sep 2015 10:26:22 +0000
Subject: [PATCH] Remove the ability to view the post listing screen and post
 editing screen for post types with `show_ui` set to `false`. It is unexpected
 and unintended behaviour that this is allowed.

If your plugin or site does rely on this behaviour, the arguments that are passed to `register_post_type()` should be altered so that `show_ui` is `true`, and arguments such as `show_in_menu`, `show_in_nav_menus`, and `show_in_admin_bar` are `false`.

Fixes #33763
Props swissspidy, johnbillion


git-svn-id: https://develop.svn.wordpress.org/trunk@34177 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-admin/edit.php             | 4 ++++
 src/wp-admin/post.php             | 4 ++++
 src/wp-includes/link-template.php | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/src/wp-admin/edit.php b/src/wp-admin/edit.php
index 782b61dc42..b24684691d 100644
--- a/src/wp-admin/edit.php
+++ b/src/wp-admin/edit.php
@@ -12,6 +12,10 @@ require_once( dirname( __FILE__ ) . '/admin.php' );
 if ( ! $typenow )
 	wp_die( __( 'Invalid post type' ) );
 
+if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) {
+	wp_die( __( 'You are not allowed to edit posts in this post type.' ) );
+}
+
 if ( 'attachment' === $typenow ) {
 	if ( wp_redirect( admin_url( 'upload.php' ) ) ) {
 		exit;
diff --git a/src/wp-admin/post.php b/src/wp-admin/post.php
index 2fcef19ba2..ba43eb1c2b 100644
--- a/src/wp-admin/post.php
+++ b/src/wp-admin/post.php
@@ -109,6 +109,10 @@ case 'edit':
 	if ( ! $post_type_object )
 		wp_die( __( 'Unknown post type.' ) );
 
+	if ( ! in_array( $typenow, get_post_types( array( 'show_ui' => true ) ) ) ) {
+		wp_die( __( 'You are not allowed to edit posts in this post type.' ) );
+	}
+
 	if ( ! current_user_can( 'edit_post', $post_id ) )
 		wp_die( __( 'You are not allowed to edit this item.' ) );
 
diff --git a/src/wp-includes/link-template.php b/src/wp-includes/link-template.php
index ce041a05b5..fcaa834886 100644
--- a/src/wp-includes/link-template.php
+++ b/src/wp-includes/link-template.php
@@ -1228,6 +1228,10 @@ function get_edit_post_link( $id = 0, $context = 'display' ) {
 	if ( !current_user_can( 'edit_post', $post->ID ) )
 		return;
 
+	if ( ! in_array( $post->post_type, get_post_types( array( 'show_ui' => true ) ) ) ) {
+		return;
+	}
+
 	/**
 	 * Filter the post edit link.
 	 *