Network admin plugin pages can be accessed on non-multisite

[flixos90]

I just noticed that it's theoretically possible to access a plugin-generated page in the network admin panel even if we're not on a multisite setup. The same applies to the user admin panel as well.

To replicate, create a plugin that uses add_menu_page() with a slug my_test_page, hooked into network_admin_menu. Then manually go to the URL http://yourdomain.com/wp-admin/network/admin.php?page=my_test_page.

This happens because the is_multisite() check happens only after including the general wp-admin/admin.php administration bootstrap file which takes care of any plugin pages by itself. The problem is we can't do it before because WordPress hasn't been loaded then. A possible solution would be to split the require_once statement in wp-admin/network/admin.php into two, one to load the WordPress core functions, the other to load wp-admin/admin.php.

I don't think this is a very critical issue, but I thought it should be a ticket. It's very unlikely that anyone tries to access a network admin URL when they don't have a multisite. On the other hand, we catch that in other areas (through ! is_multisite() checks), so we might try to do it here as well.

[ilovecats7]

When I replicate this bug as per instructions in the ticket description, I get a fatal error. I added a patch that redirects to the admin URL when attempting to access a plugin generated page in the network admin panel when multisite is not enabled.