Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
03/17/2014 08:58:00 PM (6 years ago)
Author:
imath
Message:

Check the right capabilities are used in the BP_Admin class

The introduction of the link "About BuddyPress" within the WP Admin Bar revealed that in multisite configurations, some administration menus were accessible to regular administrators when they should be restricted to the Super Administrator.
Now, the capacity used in these menus will be adapted to the configuration in which BuddyPress evolves using a "network" capacity when necessary.

props johnjamesjacoby, boonebgorges, imath

Fixes #5465

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-core/bp-core-admin.php

    r8117 r8140  
    105105        // Main settings page
    106106        $this->settings_page = bp_core_do_network_admin() ? 'settings.php' : 'options-general.php';
     107
     108        // Main capability
     109        $this->capability = bp_core_do_network_admin() ? 'manage_network_options' : 'manage_options';
    107110    }
    108111
     
    205208            __( 'BuddyPress', 'buddypress' ),
    206209            __( 'BuddyPress', 'buddypress' ),
    207             'manage_options',
     210            $this->capability,
    208211            'bp-general-settings',
    209212            'bp_core_admin_backpat_menu',
     
    215218            __( 'BuddyPress Help', 'buddypress' ),
    216219            __( 'Help', 'buddypress' ),
    217             'manage_options',
     220            $this->capability,
    218221            'bp-general-settings',
    219222            'bp_core_admin_backpat_page'
     
    225228            __( 'BuddyPress Components', 'buddypress' ),
    226229            __( 'BuddyPress', 'buddypress' ),
    227             'manage_options',
     230            $this->capability,
    228231            'bp-components',
    229232            'bp_core_admin_components_settings'
     
    234237            __( 'BuddyPress Pages', 'buddypress' ),
    235238            __( 'BuddyPress Pages', 'buddypress' ),
    236             'manage_options',
     239            $this->capability,
    237240            'bp-page-settings',
    238241            'bp_core_admin_slugs_settings'
     
    243246            __( 'BuddyPress Settings', 'buddypress' ),
    244247            __( 'BuddyPress Settings', 'buddypress' ),
    245             'manage_options',
     248            $this->capability,
    246249            'bp-settings',
    247250            'bp_core_admin_settings'
     
    256259                __( 'Tools', 'buddypress' ),
    257260                __( 'Tools', 'buddypress' ),
    258                 'manage_network_options',
     261                $this->capability,
    259262                $tools_parent,
    260263                'bp_core_tools_top_level_item',
     
    267270                __( 'Available Tools', 'buddypress' ),
    268271                __( 'Available Tools', 'buddypress' ),
    269                 'manage_network_options',
     272                $this->capability,
    270273                'available-tools',
    271274                'bp_core_admin_available_tools_page'
     
    279282            __( 'BuddyPress Tools', 'buddypress' ),
    280283            __( 'BuddyPress', 'buddypress' ),
    281             'manage_options',
     284            $this->capability,
    282285            'bp-tools',
    283286            'bp_core_admin_tools'
     
    517520                    <h4><?php _e( 'Your Default Setup', 'buddypress' ); ?></h4>
    518521
    519                     <?php if ( bp_is_active( 'members' ) && bp_is_active( 'activity' ) ) : ?>
     522                    <?php if ( bp_is_active( 'members' ) && bp_is_active( 'activity' ) && current_user_can( $this->capability ) ) : ?>
    520523                        <p><?php printf(
    521524                        __( 'BuddyPress&#8217;s powerful features help your users connect and collaborate. To help get your community started, we&#8217;ve activated two of the most commonly used tools in BP: <strong>Extended Profiles</strong> and <strong>Activity Streams</strong>. See these components in action at the %1$s and %2$s directories, and be sure to spend a few minutes <a href="%3$s">configuring user profiles</a>. Want to explore more of BP&#8217;s features? Visit the <a href="%4$s">Components panel</a>.', 'buddypress' ),
     
    585588                </div>
    586589
    587                 <div class="return-to-dashboard">
    588                     <a href="<?php echo esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) ) ); ?>"><?php _e( 'Go to the BuddyPress Settings page', 'buddypress' ); ?></a>
    589                 </div>
     590                <?php if ( current_user_can( $this->capability ) ) :?>
     591                    <div class="return-to-dashboard">
     592                        <a href="<?php echo esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) ) ); ?>"><?php _e( 'Go to the BuddyPress Settings page', 'buddypress' ); ?></a>
     593                    </div>
     594                <?php endif ;?>
    590595
    591596            </div>
     
    716721            </p>
    717722
    718             <div class="return-to-dashboard">
    719                 <a href="<?php echo esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) ) ); ?>"><?php _e( 'Go to the BuddyPress Settings page', 'buddypress' ); ?></a>
    720             </div>
     723            <?php if ( current_user_can( $this->capability ) ) :?>
     724                <div class="return-to-dashboard">
     725                    <a href="<?php echo esc_url( bp_get_admin_url( add_query_arg( array( 'page' => 'bp-components' ), $this->settings_page ) ) ); ?>"><?php _e( 'Go to the BuddyPress Settings page', 'buddypress' ); ?></a>
     726                </div>
     727            <?php endif;?>
    721728
    722729        </div>
Note: See TracChangeset for help on using the changeset viewer.