I just tried logging into ucalgaryblogs.ca using a test user account, and was surprised to see a strange item in the admin bar at the top of the page:
I was curious, so I clicked it.
mwah? Those are site-admin items, being displayed to a non-admin user. I was actually able to click the "Admin Message" item to set that, even though the logged in user wasn't an admin. Scary. Luckily, nobody's noticed the extra menu yet - or if they have, they've behaved.
I poked around in the wordpress-admin-bar.php file to see if I could plug the hole. I have no idea if this is the right way, but I've added this bit:
} else {
if ($menu[0]['title'] === null) continue; // this is the line I added
echo ' 
Has anyone else seen the extra menu? Could it have just been a freak thing only on my WPMU install, or is this a wide open potential security problem in the shipping wordpress-admin-bar.php file? It was written for non-WPMU WordPress, so it's quite possible it just doesn't grok the different types of users in WPMU.
See Also