From b923f34a9c68111a14e176ae1fcebd9897c4ec50 Mon Sep 17 00:00:00 2001
From: Sukhendu Sekhar Guria <sukhendu.guria@rtcamp.com>
Date: Wed, 17 Jun 2026 13:13:24 +0530
Subject: [PATCH] Add manage_nav_menus capability

---
 src/wp-admin/includes/ajax-actions.php        |   8 +-
 src/wp-admin/menu.php                         |  21 +++-
 src/wp-admin/nav-menus.php                    |   4 +-
 src/wp-includes/admin-bar.php                 |  12 +-
 src/wp-includes/capabilities.php              |  18 +++
 .../class-wp-customize-control.php            |   2 +-
 .../class-wp-customize-nav-menus.php          |  53 +++++---
 .../class-wp-rest-menu-items-controller.php   |  40 ++++++-
 ...lass-wp-rest-menu-locations-controller.php |   2 +-
 .../class-wp-rest-menus-controller.php        |   4 +-
 src/wp-includes/taxonomy.php                  |   8 +-
 .../widgets/class-wp-nav-menu-widget.php      |  16 ++-
 tests/phpunit/tests/adminbar.php              |  46 +++++++
 tests/phpunit/tests/ajax/wpAjaxNavMenus.php   | 113 ++++++++++++++++++
 tests/phpunit/tests/customize/nav-menus.php   |  26 +++-
 .../rest-api/wpRestMenuItemsController.php    |  65 ++++++++++
 .../wpRestMenuLocationsController.php         |  54 ++++++++-
 .../tests/rest-api/wpRestMenusController.php  |  61 ++++++++++
 tests/phpunit/tests/user/capabilities.php     |   2 +
 19 files changed, 495 insertions(+), 60 deletions(-)
 create mode 100644 tests/phpunit/tests/ajax/wpAjaxNavMenus.php

diff --git a/src/wp-admin/includes/ajax-actions.php b/src/wp-admin/includes/ajax-actions.php
index 2af08fba70af9..ee6acda7ea976 100644
--- a/src/wp-admin/includes/ajax-actions.php
+++ b/src/wp-admin/includes/ajax-actions.php
@@ -1527,7 +1527,7 @@ function wp_ajax_edit_comment() {
 function wp_ajax_add_menu_item() {
 	check_ajax_referer( 'add-menu_item', 'menu-settings-column-nonce' );
 
-	if ( ! current_user_can( 'edit_theme_options' ) ) {
+	if ( ! current_user_can( 'manage_nav_menus' ) ) {
 		wp_die( -1 );
 	}
 
@@ -1879,7 +1879,7 @@ function wp_ajax_update_welcome_panel() {
  * @since 3.1.0
  */
 function wp_ajax_menu_get_metabox() {
-	if ( ! current_user_can( 'edit_theme_options' ) ) {
+	if ( ! current_user_can( 'manage_nav_menus' ) ) {
 		wp_die( -1 );
 	}
 
@@ -1966,7 +1966,7 @@ function wp_ajax_wp_link_ajax() {
  * @since 3.1.0
  */
 function wp_ajax_menu_locations_save() {
-	if ( ! current_user_can( 'edit_theme_options' ) ) {
+	if ( ! current_user_can( 'manage_nav_menus' ) ) {
 		wp_die( -1 );
 	}
 
@@ -2022,7 +2022,7 @@ function wp_ajax_meta_box_order() {
  * @since 3.1.0
  */
 function wp_ajax_menu_quick_search() {
-	if ( ! current_user_can( 'edit_theme_options' ) ) {
+	if ( ! current_user_can( 'manage_nav_menus' ) ) {
 		wp_die( -1 );
 	}
 
diff --git a/src/wp-admin/menu.php b/src/wp-admin/menu.php
index 57d94c75e26f2..dd922d9a85f85 100644
--- a/src/wp-admin/menu.php
+++ b/src/wp-admin/menu.php
@@ -204,7 +204,16 @@
 
 $menu[59] = array( '', 'read', 'separator2', '', 'wp-menu-separator' );
 
-$appearance_capability = current_user_can( 'switch_themes' ) ? 'switch_themes' : 'edit_theme_options';
+$themes_capability     = current_user_can( 'switch_themes' ) ? 'switch_themes' : 'edit_theme_options';
+$appearance_capability = $themes_capability;
+
+if (
+	! current_user_can( $appearance_capability ) &&
+	current_user_can( 'manage_nav_menus' ) &&
+	( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) )
+) {
+	$appearance_capability = 'manage_nav_menus';
+}
 
 $menu[60] = array( __( 'Appearance' ), $appearance_capability, 'themes.php', '', 'menu-top menu-icon-appearance', 'menu-appearance', 'dashicons-admin-appearance' );
 
@@ -222,7 +231,7 @@
 }
 
 	/* translators: %s: Number of available theme updates. */
-	$submenu['themes.php'][5] = array( sprintf( __( 'Themes %s' ), $count ), $appearance_capability, 'themes.php' );
+	$submenu['themes.php'][5] = array( sprintf( __( 'Themes %s' ), $count ), $themes_capability, 'themes.php' );
 
 if ( wp_is_block_theme() ) {
 	$submenu['themes.php'][6] = array( _x( 'Editor', 'site editor menu item' ), 'edit_theme_options', 'site-editor.php' );
@@ -248,20 +257,20 @@
 }
 
 if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) {
-	$submenu['themes.php'][10] = array( __( 'Menus' ), 'edit_theme_options', 'nav-menus.php' );
+	$submenu['themes.php'][10] = array( __( 'Menus' ), 'manage_nav_menus', 'nav-menus.php' );
 }
 
 if ( current_theme_supports( 'custom-header' ) && current_user_can( 'customize' ) ) {
 	$customize_header_url      = add_query_arg( array( 'autofocus' => array( 'control' => 'header_image' ) ), $customize_url );
-	$submenu['themes.php'][15] = array( _x( 'Header', 'custom image header' ), $appearance_capability, esc_url( $customize_header_url ), '', 'hide-if-no-customize' );
+	$submenu['themes.php'][15] = array( _x( 'Header', 'custom image header' ), $themes_capability, esc_url( $customize_header_url ), '', 'hide-if-no-customize' );
 }
 
 if ( current_theme_supports( 'custom-background' ) && current_user_can( 'customize' ) ) {
 	$customize_background_url  = add_query_arg( array( 'autofocus' => array( 'control' => 'background_image' ) ), $customize_url );
-	$submenu['themes.php'][20] = array( _x( 'Background', 'custom background' ), $appearance_capability, esc_url( $customize_background_url ), '', 'hide-if-no-customize' );
+	$submenu['themes.php'][20] = array( _x( 'Background', 'custom background' ), $themes_capability, esc_url( $customize_background_url ), '', 'hide-if-no-customize' );
 }
 
-unset( $customize_url, $appearance_capability );
+unset( $customize_url, $appearance_capability, $themes_capability );
 
 // Add 'Theme File Editor' to the bottom of the Appearance (non-block themes) or Tools (block themes) menu.
 if ( ! is_multisite() ) {
diff --git a/src/wp-admin/nav-menus.php b/src/wp-admin/nav-menus.php
index 808574f1250d6..66e2397738ed9 100644
--- a/src/wp-admin/nav-menus.php
+++ b/src/wp-admin/nav-menus.php
@@ -20,10 +20,10 @@
 }
 
 // Permissions check.
-if ( ! current_user_can( 'edit_theme_options' ) ) {
+if ( ! current_user_can( 'manage_nav_menus' ) ) {
 	wp_die(
 		'<h1>' . __( 'You need a higher level of permission.' ) . '</h1>' .
-		'<p>' . __( 'Sorry, you are not allowed to edit theme options on this site.' ) . '</p>',
+		'<p>' . __( 'Sorry, you are not allowed to manage navigation menus on this site.' ) . '</p>',
 		403
 	);
 }
diff --git a/src/wp-includes/admin-bar.php b/src/wp-includes/admin-bar.php
index 50868b11a2870..00d25b473b2c1 100644
--- a/src/wp-includes/admin-bar.php
+++ b/src/wp-includes/admin-bar.php
@@ -1151,11 +1151,7 @@ function wp_admin_bar_appearance_menu( $wp_admin_bar ) {
 		);
 	}
 
-	if ( ! current_user_can( 'edit_theme_options' ) ) {
-		return;
-	}
-
-	if ( current_theme_supports( 'widgets' ) ) {
+	if ( current_user_can( 'edit_theme_options' ) && current_theme_supports( 'widgets' ) ) {
 		$wp_admin_bar->add_node(
 			array(
 				'parent' => 'appearance',
@@ -1166,7 +1162,7 @@ function wp_admin_bar_appearance_menu( $wp_admin_bar ) {
 		);
 	}
 
-	if ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) {
+	if ( current_user_can( 'manage_nav_menus' ) && ( current_theme_supports( 'menus' ) || current_theme_supports( 'widgets' ) ) ) {
 		$wp_admin_bar->add_node(
 			array(
 				'parent' => 'appearance',
@@ -1177,7 +1173,7 @@ function wp_admin_bar_appearance_menu( $wp_admin_bar ) {
 		);
 	}
 
-	if ( current_theme_supports( 'custom-background' ) ) {
+	if ( current_user_can( 'edit_theme_options' ) && current_theme_supports( 'custom-background' ) ) {
 		$wp_admin_bar->add_node(
 			array(
 				'parent' => 'appearance',
@@ -1191,7 +1187,7 @@ function wp_admin_bar_appearance_menu( $wp_admin_bar ) {
 		);
 	}
 
-	if ( current_theme_supports( 'custom-header' ) ) {
+	if ( current_user_can( 'edit_theme_options' ) && current_theme_supports( 'custom-header' ) ) {
 		$wp_admin_bar->add_node(
 			array(
 				'parent' => 'appearance',
diff --git a/src/wp-includes/capabilities.php b/src/wp-includes/capabilities.php
index 028e61ec414a8..61b762d27dcc4 100644
--- a/src/wp-includes/capabilities.php
+++ b/src/wp-includes/capabilities.php
@@ -34,6 +34,7 @@
  *              `edit_app_password`, `delete_app_passwords`, `delete_app_password`,
  *              and `update_https` capabilities.
  * @since 6.7.0 Added the `edit_block_binding` capability.
+ * @since 7.1.0 Added the `manage_nav_menus` capability.
  *
  * @global array $post_type_meta_caps Used to get post type meta capabilities.
  *
@@ -136,6 +137,13 @@ function map_meta_cap( $cap, $user_id, ...$args ) {
 				break;
 			}
 
+			// Route nav_menu_item edit/delete through manage_nav_menus
+			// instead of the post type's primitive edit_theme_options caps.
+			if ( 'nav_menu_item' === $post->post_type ) {
+				$caps = map_meta_cap( 'manage_nav_menus', $user_id );
+				break;
+			}
+
 			if ( ! $post_type->map_meta_cap ) {
 				$caps[] = $post_type->cap->$cap;
 				// Prior to 3.1 we would re-call map_meta_cap here.
@@ -239,6 +247,13 @@ function map_meta_cap( $cap, $user_id, ...$args ) {
 				break;
 			}
 
+			// Route nav_menu_item edit/delete through manage_nav_menus
+			// instead of the post type's primitive edit_theme_options caps.
+			if ( 'nav_menu_item' === $post->post_type ) {
+				$caps = map_meta_cap( 'manage_nav_menus', $user_id );
+				break;
+			}
+
 			if ( ! $post_type->map_meta_cap ) {
 				$caps[] = $post_type->cap->$cap;
 				// Prior to 3.1 we would re-call map_meta_cap here.
@@ -698,6 +713,9 @@ function map_meta_cap( $cap, $user_id, ...$args ) {
 		case 'customize':
 			$caps[] = 'edit_theme_options';
 			break;
+		case 'manage_nav_menus':
+			$caps[] = 'edit_theme_options';
+			break;
 		case 'delete_site':
 			if ( is_multisite() ) {
 				$caps[] = 'manage_options';
diff --git a/src/wp-includes/class-wp-customize-control.php b/src/wp-includes/class-wp-customize-control.php
index 43f0ac6d4ca64..cb6e340c28699 100644
--- a/src/wp-includes/class-wp-customize-control.php
+++ b/src/wp-includes/class-wp-customize-control.php
@@ -636,7 +636,7 @@ protected function render_content() {
 
 				echo $dropdown;
 				?>
-				<?php if ( $this->allow_addition && current_user_can( 'publish_pages' ) && current_user_can( 'edit_theme_options' ) ) : // Currently tied to menus functionality. ?>
+				<?php if ( $this->allow_addition && current_user_can( 'publish_pages' ) && current_user_can( 'manage_nav_menus' ) ) : // Currently tied to menus functionality. ?>
 					<button type="button" class="button-link add-new-toggle">
 						<?php
 						/* translators: %s: Add Page label. */
diff --git a/src/wp-includes/class-wp-customize-nav-menus.php b/src/wp-includes/class-wp-customize-nav-menus.php
index 201122adf3fe0..43ca2dad4f0b4 100644
--- a/src/wp-includes/class-wp-customize-nav-menus.php
+++ b/src/wp-includes/class-wp-customize-nav-menus.php
@@ -53,7 +53,7 @@ public function __construct( $manager ) {
 		add_action( 'customize_save_nav_menus_created_posts', array( $this, 'save_nav_menus_created_posts' ) );
 
 		// Skip remaining hooks when the user can't manage nav menus anyway.
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
+		if ( ! current_user_can( 'manage_nav_menus' ) ) {
 			return;
 		}
 
@@ -92,7 +92,7 @@ public function filter_nonces( $nonces ) {
 	public function ajax_load_available_items() {
 		check_ajax_referer( 'customize-menus', 'customize-menus-nonce' );
 
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
+		if ( ! current_user_can( 'manage_nav_menus' ) ) {
 			wp_die( -1 );
 		}
 
@@ -317,7 +317,7 @@ public function load_available_items_query( $object_type = 'post_type', $object_
 	public function ajax_search_available_items() {
 		check_ajax_referer( 'customize-menus', 'customize-menus-nonce' );
 
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
+		if ( ! current_user_can( 'manage_nav_menus' ) ) {
 			wp_die( -1 );
 		}
 
@@ -594,13 +594,15 @@ public function enqueue_scripts() {
 	public function filter_dynamic_setting_args( $setting_args, $setting_id ) {
 		if ( preg_match( WP_Customize_Nav_Menu_Setting::ID_PATTERN, $setting_id ) ) {
 			$setting_args = array(
-				'type'      => WP_Customize_Nav_Menu_Setting::TYPE,
-				'transport' => 'postMessage',
+				'type'       => WP_Customize_Nav_Menu_Setting::TYPE,
+				'transport'  => 'postMessage',
+				'capability' => 'manage_nav_menus',
 			);
 		} elseif ( preg_match( WP_Customize_Nav_Menu_Item_Setting::ID_PATTERN, $setting_id ) ) {
 			$setting_args = array(
-				'type'      => WP_Customize_Nav_Menu_Item_Setting::TYPE,
-				'transport' => 'postMessage',
+				'type'       => WP_Customize_Nav_Menu_Item_Setting::TYPE,
+				'transport'  => 'postMessage',
+				'capability' => 'manage_nav_menus',
 			);
 		}
 		return $setting_args;
@@ -681,6 +683,7 @@ public function customize_register() {
 					'title'       => __( 'Menus' ),
 					'description' => $description,
 					'priority'    => 100,
+					'capability'  => 'manage_nav_menus',
 				)
 			)
 		);
@@ -709,6 +712,7 @@ public function customize_register() {
 				'panel'       => 'nav_menus',
 				'priority'    => 30,
 				'description' => $description,
+				'capability'  => 'manage_nav_menus',
 			)
 		);
 
@@ -735,7 +739,8 @@ public function customize_register() {
 
 			$setting = $this->manager->get_setting( $setting_id );
 			if ( $setting ) {
-				$setting->transport = 'postMessage';
+				$setting->transport  = 'postMessage';
+				$setting->capability = 'manage_nav_menus';
 				remove_filter( "customize_sanitize_{$setting_id}", 'absint' );
 				add_filter( "customize_sanitize_{$setting_id}", array( $this, 'intval_base10' ) );
 			} else {
@@ -747,6 +752,7 @@ public function customize_register() {
 						'type'              => 'theme_mod',
 						'transport'         => 'postMessage',
 						'default'           => 0,
+						'capability'        => 'manage_nav_menus',
 					)
 				);
 			}
@@ -786,9 +792,10 @@ public function customize_register() {
 					$this->manager,
 					$section_id,
 					array(
-						'title'    => html_entity_decode( $menu->name, ENT_QUOTES, get_bloginfo( 'charset' ) ),
-						'priority' => 10,
-						'panel'    => 'nav_menus',
+						'title'      => html_entity_decode( $menu->name, ENT_QUOTES, get_bloginfo( 'charset' ) ),
+						'priority'   => 10,
+						'panel'      => 'nav_menus',
+						'capability' => 'manage_nav_menus',
 					)
 				)
 			);
@@ -799,7 +806,8 @@ public function customize_register() {
 					$this->manager,
 					$nav_menu_setting_id,
 					array(
-						'transport' => 'postMessage',
+						'transport'  => 'postMessage',
+						'capability' => 'manage_nav_menus',
 					)
 				)
 			);
@@ -823,8 +831,9 @@ public function customize_register() {
 						$this->manager,
 						$menu_item_setting_id,
 						array(
-							'value'     => $value,
-							'transport' => 'postMessage',
+							'value'      => $value,
+							'transport'  => 'postMessage',
+							'capability' => 'manage_nav_menus',
 						)
 					)
 				);
@@ -850,10 +859,11 @@ public function customize_register() {
 		$this->manager->add_section(
 			'add_menu',
 			array(
-				'type'     => 'new_menu',
-				'title'    => __( 'New Menu' ),
-				'panel'    => 'nav_menus',
-				'priority' => 20,
+				'type'       => 'new_menu',
+				'title'      => __( 'New Menu' ),
+				'panel'      => 'nav_menus',
+				'priority'   => 20,
+				'capability' => 'manage_nav_menus',
 			)
 		);
 
@@ -866,6 +876,7 @@ public function customize_register() {
 					'type'              => 'option', // To prevent theme prefix in changeset.
 					'default'           => array(),
 					'sanitize_callback' => array( $this, 'sanitize_nav_menus_created_posts' ),
+					'capability'        => 'manage_nav_menus',
 				)
 			)
 		);
@@ -1005,6 +1016,10 @@ public function ajax_insert_auto_draft_post() {
 			wp_send_json_error( 'customize_not_allowed', 403 );
 		}
 
+		if ( ! current_user_can( 'manage_nav_menus' ) ) {
+			wp_send_json_error( 'cannot_manage_nav_menus', 403 );
+		}
+
 		if ( empty( $_POST['params'] ) || ! is_array( $_POST['params'] ) ) {
 			wp_send_json_error( 'missing_params', 400 );
 		}
@@ -1328,7 +1343,7 @@ public function customize_dynamic_partial_args( $partial_args, $partial_id ) {
 					'render_callback'     => array( $this, 'render_nav_menu_partial' ),
 					'container_inclusive' => true,
 					'settings'            => array(), // Empty because the nav menu instance may relate to a menu or a location.
-					'capability'          => 'edit_theme_options',
+					'capability'          => 'manage_nav_menus',
 				)
 			);
 		}
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
index dd72bc1c15210..5f000324241ef 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-items-controller.php
@@ -42,6 +42,10 @@ protected function get_nav_menu_item( $id ) {
 	 * @return true|WP_Error True if the request has read access, WP_Error object otherwise.
 	 */
 	public function get_items_permissions_check( $request ) {
+		if ( 'edit' === $request['context'] && current_user_can( 'manage_nav_menus' ) ) {
+			return true;
+		}
+
 		$has_permission = parent::get_items_permissions_check( $request );
 
 		if ( true !== $has_permission ) {
@@ -69,10 +73,42 @@ public function get_item_permissions_check( $request ) {
 		return $this->check_has_read_only_access( $request );
 	}
 
+	/**
+	 * Checks if a given request has access to create a menu item.
+	 *
+	 * @since 7.1.0
+	 *
+	 * @param WP_REST_Request $request Full details about the request.
+	 * @return true|WP_Error True if the request has access to create items, WP_Error object otherwise.
+	 */
+	public function create_item_permissions_check( $request ) {
+		if ( ! current_user_can( 'manage_nav_menus' ) ) {
+			return parent::create_item_permissions_check( $request );
+		}
+
+		if ( ! empty( $request['id'] ) ) {
+			return new WP_Error(
+				'rest_post_exists',
+				__( 'Cannot create existing post.' ),
+				array( 'status' => 400 )
+			);
+		}
+
+		if ( ! $this->check_assign_terms_permission( $request ) ) {
+			return new WP_Error(
+				'rest_cannot_assign_term',
+				__( 'Sorry, you are not allowed to assign the provided terms.' ),
+				array( 'status' => rest_authorization_required_code() )
+			);
+		}
+
+		return true;
+	}
+
 	/**
 	 * Checks whether the current user has read permission for the endpoint.
 	 *
-	 * This allows for any user that can `edit_theme_options` or edit any REST API available post type.
+	 * This allows for any user that can `manage_nav_menus` or edit any REST API available post type.
 	 *
 	 * @since 5.9.0
 	 *
@@ -95,7 +131,7 @@ protected function check_has_read_only_access( $request ) {
 			return true;
 		}
 
-		if ( current_user_can( 'edit_theme_options' ) ) {
+		if ( current_user_can( 'manage_nav_menus' ) ) {
 			return true;
 		}
 
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php
index c9ce88ce24f36..590fd6b6895f0 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-menu-locations-controller.php
@@ -156,7 +156,7 @@ protected function check_has_read_only_access( $request ) {
 			return true;
 		}
 
-		if ( ! current_user_can( 'edit_theme_options' ) ) {
+		if ( ! current_user_can( 'manage_nav_menus' ) ) {
 			return new WP_Error(
 				'rest_cannot_view',
 				__( 'Sorry, you are not allowed to view menu locations.' ),
diff --git a/src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php b/src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php
index 3947bfd6107ce..7bdca828af857 100644
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-menus-controller.php
@@ -76,7 +76,7 @@ protected function get_term( $id ) {
 	/**
 	 * Checks whether the current user has read permission for the endpoint.
 	 *
-	 * This allows for any user that can `edit_theme_options` or edit any REST API available post type.
+	 * This allows for any user that can `manage_nav_menus` or edit any REST API available post type.
 	 *
 	 * @since 5.9.0
 	 *
@@ -90,7 +90,7 @@ protected function check_has_read_only_access( $request ) {
 			return true;
 		}
 
-		if ( current_user_can( 'edit_theme_options' ) ) {
+		if ( current_user_can( 'manage_nav_menus' ) ) {
 			return true;
 		}
 
diff --git a/src/wp-includes/taxonomy.php b/src/wp-includes/taxonomy.php
index 80f457de0e6f7..867221aa2fea3 100644
--- a/src/wp-includes/taxonomy.php
+++ b/src/wp-includes/taxonomy.php
@@ -122,10 +122,10 @@ function create_initial_taxonomies() {
 			'_builtin'              => true,
 			'show_in_nav_menus'     => false,
 			'capabilities'          => array(
-				'manage_terms' => 'edit_theme_options',
-				'edit_terms'   => 'edit_theme_options',
-				'delete_terms' => 'edit_theme_options',
-				'assign_terms' => 'edit_theme_options',
+				'manage_terms' => 'manage_nav_menus',
+				'edit_terms'   => 'manage_nav_menus',
+				'delete_terms' => 'manage_nav_menus',
+				'assign_terms' => 'manage_nav_menus',
 			),
 			'show_in_rest'          => true,
 			'rest_base'             => 'menus',
diff --git a/src/wp-includes/widgets/class-wp-nav-menu-widget.php b/src/wp-includes/widgets/class-wp-nav-menu-widget.php
index 9cdc0a32bfc63..0db695a4fd506 100644
--- a/src/wp-includes/widgets/class-wp-nav-menu-widget.php
+++ b/src/wp-includes/widgets/class-wp-nav-menu-widget.php
@@ -172,12 +172,16 @@ public function form( $instance ) {
 				$url = admin_url( 'nav-menus.php' );
 			}
 
-			printf(
-				/* translators: %s: URL to create a new menu. */
-				__( 'No menus have been created yet. <a href="%s">Create some</a>.' ),
-				// The URL can be a `javascript:` link, so esc_attr() is used here instead of esc_url().
-				esc_attr( $url )
-			);
+			if ( current_user_can( 'manage_nav_menus' ) ) {
+				printf(
+					/* translators: %s: URL to create a new menu. */
+					__( 'No menus have been created yet. <a href="%s">Create some</a>.' ),
+					// The URL can be a `javascript:` link, so esc_attr() is used here instead of esc_url().
+					esc_attr( $url )
+				);
+			} else {
+				esc_html_e( 'No menus have been created yet.' );
+			}
 			?>
 		</p>
 		<div class="nav-menu-widget-form-controls" <?php echo $empty_menus_style; ?>>
diff --git a/tests/phpunit/tests/adminbar.php b/tests/phpunit/tests/adminbar.php
index 27308bd82760e..7d9a25cd39cdf 100644
--- a/tests/phpunit/tests/adminbar.php
+++ b/tests/phpunit/tests/adminbar.php
@@ -244,6 +244,52 @@ protected function get_standard_admin_bar() {
 		return $wp_admin_bar;
 	}
 
+	/**
+	 * Grants manage_nav_menus to users who can edit posts.
+	 *
+	 * @param string[] $caps    Primitive capabilities required of the user.
+	 * @param string   $cap     Capability being checked.
+	 * @param int      $user_id User ID.
+	 * @return string[] Primitive capabilities required of the user.
+	 */
+	public function grant_manage_nav_menus_to_users_who_can_edit_posts( $caps, $cap, $user_id ) {
+		if ( 'manage_nav_menus' === $cap && user_can( $user_id, 'edit_posts' ) ) {
+			return array( 'edit_posts' );
+		}
+
+		return $caps;
+	}
+
+	/**
+	 * @ticket 29213
+	 */
+	public function test_appearance_menu_shows_menus_node_for_user_who_can_manage_nav_menus() {
+		$had_menus_support = current_theme_supports( 'menus' );
+		if ( ! $had_menus_support ) {
+			add_theme_support( 'menus' );
+		}
+
+		wp_set_current_user( self::$editor_id );
+		add_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_edit_posts' ), 10, 3 );
+
+		try {
+			$this->assertFalse( current_user_can( 'edit_theme_options' ) );
+			$this->assertTrue( current_user_can( 'manage_nav_menus' ) );
+
+			$admin_bar = new WP_Admin_Bar();
+			wp_admin_bar_appearance_menu( $admin_bar );
+
+			$this->assertNotNull( $admin_bar->get_node( 'menus' ) );
+			$this->assertNull( $admin_bar->get_node( 'widgets' ) );
+			$this->assertNull( $admin_bar->get_node( 'themes' ) );
+		} finally {
+			remove_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_edit_posts' ), 10 );
+			if ( ! $had_menus_support ) {
+				remove_theme_support( 'menus' );
+			}
+		}
+	}
+
 	/**
 	 * @ticket 32495
 	 *
diff --git a/tests/phpunit/tests/ajax/wpAjaxNavMenus.php b/tests/phpunit/tests/ajax/wpAjaxNavMenus.php
new file mode 100644
index 0000000000000..d837188b73c08
--- /dev/null
+++ b/tests/phpunit/tests/ajax/wpAjaxNavMenus.php
@@ -0,0 +1,113 @@
+<?php
+/**
+ * Admin ajax functions to be tested.
+ */
+require_once ABSPATH . 'wp-admin/includes/ajax-actions.php';
+
+/**
+ * Tests Ajax handling for navigation menus.
+ *
+ * @group ajax
+ */
+class Tests_Ajax_wpAjaxNavMenus extends WP_Ajax_UnitTestCase {
+
+	/**
+	 * Grants manage_nav_menus to users who can read.
+	 *
+	 * @param string[] $caps    Primitive capabilities required of the user.
+	 * @param string   $cap     Capability being checked.
+	 * @param int      $user_id User ID.
+	 * @return string[] Primitive capabilities required of the user.
+	 */
+	public function grant_manage_nav_menus_to_users_who_can_read( $caps, $cap, $user_id ) {
+		if ( 'manage_nav_menus' === $cap && user_can( $user_id, 'read' ) ) {
+			return array( 'read' );
+		}
+
+		return $caps;
+	}
+
+	/**
+	 * @ticket 29213
+	 *
+	 * @dataProvider data_nav_menu_ajax_actions
+	 *
+	 * @param string $action    Ajax action.
+	 * @param array  $post_data Data to populate $_POST.
+	 */
+	public function test_nav_menu_ajax_actions_require_manage_nav_menus( $action, $post_data ) {
+		$this->_setRole( 'subscriber' );
+		$_POST = $post_data;
+
+		if ( 'add-menu-item' === $action ) {
+			$_POST['menu-settings-column-nonce'] = wp_create_nonce( 'add-menu_item' );
+		}
+
+		$this->expectException( 'WPAjaxDieStopException' );
+		$this->expectExceptionMessage( '-1' );
+		$this->_handleAjax( $action );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public function data_nav_menu_ajax_actions() {
+		return array(
+			'add menu item'       => array(
+				'action'    => 'add-menu-item',
+				'post_data' => array(),
+			),
+			'get metabox'         => array(
+				'action'    => 'menu-get-metabox',
+				'post_data' => array(),
+			),
+			'save menu locations' => array(
+				'action'    => 'menu-locations-save',
+				'post_data' => array(),
+			),
+			'quick search'        => array(
+				'action'    => 'menu-quick-search',
+				'post_data' => array(),
+			),
+		);
+	}
+
+	/**
+	 * @ticket 29213
+	 */
+	public function test_menu_quick_search_allows_user_who_can_manage_nav_menus() {
+		$post_id = self::factory()->post->create(
+			array(
+				'post_status' => 'publish',
+				'post_title'  => 'Nav Menu Ajax Test Page',
+			)
+		);
+
+		$this->_setRole( 'subscriber' );
+		add_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10, 3 );
+
+		try {
+			$this->assertFalse( current_user_can( 'edit_theme_options' ) );
+			$this->assertTrue( current_user_can( 'manage_nav_menus' ) );
+
+			$_POST = array(
+				'type'            => 'quick-search-posttype-post',
+				'q'               => 'Nav Menu Ajax Test Page',
+				'response-format' => 'json',
+			);
+
+			try {
+				$this->_handleAjax( 'menu-quick-search' );
+			} catch ( WPAjaxDieContinueException $e ) {
+				unset( $e );
+			}
+
+			$this->assertStringContainsString( 'Nav Menu Ajax Test Page', $this->_last_response );
+			$this->assertStringContainsString( (string) $post_id, $this->_last_response );
+		} finally {
+			remove_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10 );
+		}
+	}
+}
diff --git a/tests/phpunit/tests/customize/nav-menus.php b/tests/phpunit/tests/customize/nav-menus.php
index 65390705bad26..248c716d47c3f 100644
--- a/tests/phpunit/tests/customize/nav-menus.php
+++ b/tests/phpunit/tests/customize/nav-menus.php
@@ -530,13 +530,21 @@ public function test_enqueue_scripts() {
 	public function test_filter_dynamic_setting_args() {
 		$menus = new WP_Customize_Nav_Menus( $this->wp_customize );
 
-		$expected = array( 'type' => 'nav_menu_item' );
+		$expected = array(
+			'type'       => 'nav_menu_item',
+			'capability' => 'manage_nav_menus',
+		);
 		$results  = $menus->filter_dynamic_setting_args( $this->wp_customize, 'nav_menu_item[123]' );
 		$this->assertSame( $expected['type'], $results['type'] );
+		$this->assertSame( $expected['capability'], $results['capability'] );
 
-		$expected = array( 'type' => 'nav_menu' );
+		$expected = array(
+			'type'       => 'nav_menu',
+			'capability' => 'manage_nav_menus',
+		);
 		$results  = $menus->filter_dynamic_setting_args( $this->wp_customize, 'nav_menu[123]' );
 		$this->assertSame( $expected['type'], $results['type'] );
+		$this->assertSame( $expected['capability'], $results['capability'] );
 	}
 
 	/**
@@ -578,14 +586,22 @@ public function test_customize_register() {
 			)
 		);
 		do_action( 'customize_register', $this->wp_customize );
-		$this->assertInstanceOf( 'WP_Customize_Nav_Menu_Item_Setting', $this->wp_customize->get_setting( "nav_menu_item[$item_id]" ) );
-		$this->assertSame( 'Primary', $this->wp_customize->get_section( "nav_menu[$menu_id]" )->title );
+		$nav_menu_item_setting = $this->wp_customize->get_setting( "nav_menu_item[$item_id]" );
+		$nav_menu_setting      = $this->wp_customize->get_setting( "nav_menu[$menu_id]" );
+		$nav_menu_section      = $this->wp_customize->get_section( "nav_menu[$menu_id]" );
+
+		$this->assertInstanceOf( 'WP_Customize_Nav_Menu_Item_Setting', $nav_menu_item_setting );
+		$this->assertSame( 'manage_nav_menus', $nav_menu_item_setting->capability );
+		$this->assertSame( 'manage_nav_menus', $nav_menu_setting->capability );
+		$this->assertSame( 'manage_nav_menus', $nav_menu_section->capability );
+		$this->assertSame( 'Primary', $nav_menu_section->title );
 		$this->assertSame( 'Hello World', $this->wp_customize->get_control( "nav_menu_item[$item_id]" )->label );
 
 		$nav_menus_created_posts_setting = $this->wp_customize->get_setting( 'nav_menus_created_posts' );
 		$this->assertInstanceOf( 'WP_Customize_Filter_Setting', $nav_menus_created_posts_setting );
 		$this->assertSame( 'postMessage', $nav_menus_created_posts_setting->transport );
 		$this->assertSame( array(), $nav_menus_created_posts_setting->default );
+		$this->assertSame( 'manage_nav_menus', $nav_menus_created_posts_setting->capability );
 		$this->assertSame( array( $this->wp_customize->nav_menus, 'sanitize_nav_menus_created_posts' ), $nav_menus_created_posts_setting->sanitize_callback );
 	}
 
@@ -829,12 +845,14 @@ public function test_customize_dynamic_partial_args() {
 		$this->assertSame( 'nav_menu_instance', $args['type'] );
 		$this->assertSame( array( $this->wp_customize->nav_menus, 'render_nav_menu_partial' ), $args['render_callback'] );
 		$this->assertTrue( $args['container_inclusive'] );
+		$this->assertSame( 'manage_nav_menus', $args['capability'] );
 
 		$args = apply_filters( 'customize_dynamic_partial_args', array( 'fallback_refresh' => false ), 'nav_menu_instance[4099c7d8ad5cb9c94068b329da9893e3]' );
 		$this->assertIsArray( $args );
 		$this->assertSame( 'nav_menu_instance', $args['type'] );
 		$this->assertSame( array( $this->wp_customize->nav_menus, 'render_nav_menu_partial' ), $args['render_callback'] );
 		$this->assertTrue( $args['container_inclusive'] );
+		$this->assertSame( 'manage_nav_menus', $args['capability'] );
 		$this->assertFalse( $args['fallback_refresh'] );
 	}
 
diff --git a/tests/phpunit/tests/rest-api/wpRestMenuItemsController.php b/tests/phpunit/tests/rest-api/wpRestMenuItemsController.php
index a5b76af3438d2..a226fae2cf7a5 100644
--- a/tests/phpunit/tests/rest-api/wpRestMenuItemsController.php
+++ b/tests/phpunit/tests/rest-api/wpRestMenuItemsController.php
@@ -68,6 +68,22 @@ public static function wpTearDownAfterClass() {
 	/**
 	 *
 	 */
+	/**
+	 * Grants manage_nav_menus to users who can read.
+	 *
+	 * @param string[] $caps    Primitive capabilities required of the user.
+	 * @param string   $cap     Capability being checked.
+	 * @param int      $user_id User ID.
+	 * @return string[] Primitive capabilities required of the user.
+	 */
+	public function grant_manage_nav_menus_to_users_who_can_read( $caps, $cap, $user_id ) {
+		if ( 'manage_nav_menus' === $cap && user_can( $user_id, 'read' ) ) {
+			return array( 'read' );
+		}
+
+		return $caps;
+	}
+
 	public function set_up() {
 		parent::set_up();
 
@@ -171,6 +187,27 @@ public function test_get_items() {
 		$this->check_get_menu_items_response( $response );
 	}
 
+	/**
+	 * @ticket 29213
+	 * @covers ::get_items_permissions_check
+	 */
+	public function test_get_items_with_manage_nav_menus_permission() {
+		wp_set_current_user( self::$subscriber_id );
+		add_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10, 3 );
+
+		try {
+			$this->assertFalse( current_user_can( 'edit_theme_options' ) );
+			$this->assertTrue( current_user_can( 'manage_nav_menus' ) );
+
+			$request  = new WP_REST_Request( 'GET', '/wp/v2/menu-items' );
+			$response = rest_get_server()->dispatch( $request );
+
+			$this->check_get_menu_items_response( $response );
+		} finally {
+			remove_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10 );
+		}
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::get_item
@@ -346,6 +383,34 @@ public function test_create_item() {
 		$this->check_create_menu_item_response( $response );
 	}
 
+	/**
+	 * @ticket 29213
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_manage_nav_menus_permission() {
+		wp_set_current_user( self::$subscriber_id );
+		add_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10, 3 );
+
+		try {
+			$this->assertFalse( current_user_can( 'edit_theme_options' ) );
+			$this->assertTrue( current_user_can( 'manage_nav_menus' ) );
+
+			$request = new WP_REST_Request( 'POST', '/wp/v2/menu-items' );
+			$request->add_header( 'Content-Type', 'application/x-www-form-urlencoded' );
+			$params = $this->set_menu_item_data(
+				array(
+					'title' => 'Granular Cap Custom Link',
+				)
+			);
+			$request->set_body_params( $params );
+			$response = rest_get_server()->dispatch( $request );
+
+			$this->check_create_menu_item_response( $response );
+		} finally {
+			remove_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10 );
+		}
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::create_item
diff --git a/tests/phpunit/tests/rest-api/wpRestMenuLocationsController.php b/tests/phpunit/tests/rest-api/wpRestMenuLocationsController.php
index 1a0ffc4bb536b..6eaec5d12a655 100644
--- a/tests/phpunit/tests/rest-api/wpRestMenuLocationsController.php
+++ b/tests/phpunit/tests/rest-api/wpRestMenuLocationsController.php
@@ -17,17 +17,43 @@ class Tests_REST_WpRestMenuLocationsController extends WP_Test_REST_Controller_T
 	 */
 	protected static $admin_id;
 
+	/**
+	 * @var int
+	 */
+	protected static $subscriber_id;
+
 	/**
 	 * Create fake data before our tests run.
 	 *
 	 * @param WP_UnitTest_Factory $factory Helper that lets us create fake data.
 	 */
 	public static function wpSetUpBeforeClass( $factory ) {
-		self::$admin_id = $factory->user->create(
+		self::$admin_id      = $factory->user->create(
 			array(
 				'role' => 'administrator',
 			)
 		);
+		self::$subscriber_id = $factory->user->create(
+			array(
+				'role' => 'subscriber',
+			)
+		);
+	}
+
+	/**
+	 * Grants manage_nav_menus to users who can read.
+	 *
+	 * @param string[] $caps    Primitive capabilities required of the user.
+	 * @param string   $cap     Capability being checked.
+	 * @param int      $user_id User ID.
+	 * @return string[] Primitive capabilities required of the user.
+	 */
+	public function grant_manage_nav_menus_to_users_who_can_read( $caps, $cap, $user_id ) {
+		if ( 'manage_nav_menus' === $cap && user_can( $user_id, 'read' ) ) {
+			return array( 'read' );
+		}
+
+		return $caps;
 	}
 
 	/**
@@ -105,6 +131,32 @@ public function test_get_items() {
 		$this->assertSame( $menu_descriptions, $descriptions );
 	}
 
+	/**
+	 * @ticket 29213
+	 * @covers ::get_items_permissions_check
+	 */
+	public function test_get_items_with_manage_nav_menus_permission() {
+		$menus = array( 'primary', 'secondary' );
+		$this->register_nav_menu_locations( array( 'primary', 'secondary' ) );
+		wp_set_current_user( self::$subscriber_id );
+		add_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10, 3 );
+
+		try {
+			$this->assertFalse( current_user_can( 'edit_theme_options' ) );
+			$this->assertTrue( current_user_can( 'manage_nav_menus' ) );
+
+			$request  = new WP_REST_Request( 'GET', '/wp/v2/menu-locations' );
+			$response = rest_get_server()->dispatch( $request );
+			$data     = array_values( $response->get_data() );
+			$names    = wp_list_pluck( $data, 'name' );
+
+			$this->assertSame( 200, $response->get_status() );
+			$this->assertSame( $menus, $names );
+		} finally {
+			remove_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10 );
+		}
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::get_item
diff --git a/tests/phpunit/tests/rest-api/wpRestMenusController.php b/tests/phpunit/tests/rest-api/wpRestMenusController.php
index 864b09417d2cb..621ac4cdadf07 100644
--- a/tests/phpunit/tests/rest-api/wpRestMenusController.php
+++ b/tests/phpunit/tests/rest-api/wpRestMenusController.php
@@ -64,6 +64,22 @@ public static function wpSetUpBeforeClass( $factory ) {
 		);
 	}
 
+	/**
+	 * Grants manage_nav_menus to users who can read.
+	 *
+	 * @param string[] $caps    Primitive capabilities required of the user.
+	 * @param string   $cap     Capability being checked.
+	 * @param int      $user_id User ID.
+	 * @return string[] Primitive capabilities required of the user.
+	 */
+	public function grant_manage_nav_menus_to_users_who_can_read( $caps, $cap, $user_id ) {
+		if ( 'manage_nav_menus' === $cap && user_can( $user_id, 'read' ) ) {
+			return array( 'read' );
+		}
+
+		return $caps;
+	}
+
 	/**
 	 *
 	 */
@@ -186,6 +202,27 @@ public function test_get_items() {
 		$this->check_get_taxonomy_terms_response( $response );
 	}
 
+	/**
+	 * @ticket 29213
+	 * @covers ::get_items_permissions_check
+	 */
+	public function test_get_items_with_manage_nav_menus_permission() {
+		wp_set_current_user( self::$subscriber_id );
+		add_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10, 3 );
+
+		try {
+			$this->assertFalse( current_user_can( 'edit_theme_options' ) );
+			$this->assertTrue( current_user_can( 'manage_nav_menus' ) );
+
+			$request = new WP_REST_Request( 'GET', '/wp/v2/menus' );
+			$request->set_param( 'per_page', self::$per_page );
+			$response = rest_get_server()->dispatch( $request );
+			$this->check_get_taxonomy_terms_response( $response );
+		} finally {
+			remove_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10 );
+		}
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::get_item
@@ -270,6 +307,30 @@ public function test_create_item() {
 		$this->assertSame( 'my-awesome-menus', $data['slug'] );
 	}
 
+	/**
+	 * @ticket 29213
+	 * @covers ::create_item
+	 */
+	public function test_create_item_with_manage_nav_menus_permission() {
+		wp_set_current_user( self::$subscriber_id );
+		add_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10, 3 );
+
+		try {
+			$this->assertFalse( current_user_can( 'edit_theme_options' ) );
+			$this->assertTrue( current_user_can( 'manage_nav_menus' ) );
+
+			$request = new WP_REST_Request( 'POST', '/wp/v2/menus' );
+			$request->set_param( 'name', 'My Granular Cap Menu' );
+			$response = rest_get_server()->dispatch( $request );
+			$data     = $response->get_data();
+
+			$this->assertSame( 201, $response->get_status() );
+			$this->assertSame( 'My Granular Cap Menu', $data['name'] );
+		} finally {
+			remove_filter( 'map_meta_cap', array( $this, 'grant_manage_nav_menus_to_users_who_can_read' ), 10 );
+		}
+	}
+
 	/**
 	 * @ticket 40878
 	 * @covers ::create_item
diff --git a/tests/phpunit/tests/user/capabilities.php b/tests/phpunit/tests/user/capabilities.php
index b92b0db231ecb..972b0a8b42fcf 100644
--- a/tests/phpunit/tests/user/capabilities.php
+++ b/tests/phpunit/tests/user/capabilities.php
@@ -282,6 +282,7 @@ private function _getSingleSiteMetaCaps() {
 			'upload_plugins'              => array( 'administrator' ),
 			'upload_themes'               => array( 'administrator' ),
 			'customize'                   => array( 'administrator' ),
+			'manage_nav_menus'            => array( 'administrator' ),
 			'add_users'                   => array( 'administrator' ),
 			'install_languages'           => array( 'administrator' ),
 			'update_languages'            => array( 'administrator' ),
@@ -329,6 +330,7 @@ private function _getMultiSiteMetaCaps() {
 			'manage_privacy_options'      => array(),
 
 			'customize'                   => array( 'administrator' ),
+			'manage_nav_menus'            => array( 'administrator' ),
 			'delete_site'                 => array( 'administrator' ),
 			'add_users'                   => array( 'administrator' ),