Skip to:
Content

BuddyPress.org

Opened 11 years ago

Closed 11 years ago

Last modified 11 years ago

#5465 closed defect (bug) (fixed)

About BuddyPress in WP Admin Bar and multisite config !!

Reported by: imath's profile imath Owned by: imath's profile imath
Milestone: 2.0 Priority: highest
Severity: blocker Version: 1.9
Component: Administration Keywords: has-patch commit
Cc:

Description

On multisite config, BuddyPress Network activated.

  1. a regular Administrator of the root_blog can from the administration of this root blog click on the WP Admin Bar "About BuddyPress" link to discover the about page and :
    • the BuddyPress settings menu !! from which he can deactivate the components, change the page mapping, and edit all BuddyPress settings
    • the BuddyPress tools menu, from which he can hopefully do nothing :)
  1. a regular Administrator of a child blog sees the same link, hopefully on click, he has the wp_die() message

So i think it's really important to :
a) avoid showing the About link in th WP Admin Bar on child blogs.
b) create a specific capability like 'bp_admin' that is mapped to 'manage_options' if ! multisite() and to 'manage_network_options' in case of a multisite config where BuddyPress is network activated. I think i'll create a new ticket for this last one.

The patch only disable the About WP Admin Link on child blogs.

Attachments (2)

5465.diff (525 bytes) - added by imath 11 years ago.
5465.02.diff (4.2 KB) - added by imath 11 years ago.

Download all attachments as: .zip

Change History (12)

@imath
11 years ago

#1 @imath
11 years ago

  • Milestone changed from 2.0 to 1.9.3

#2 follow-up: @johnjamesjacoby
11 years ago

Let's choose our capability names wisely, especially since they are currently being done piecemeal. bp_moderate was picked specifically as a replacement for our is_super_admin checks of yore.

I agree there are some single/multi-site quirks with activation and admin screens. Let's try to make wise decisions about what we ultimately want users and admins to see. Our adding a menu for About BuddyPress has always felt over-the-top to me, since it's an admin screen, and we typically want to keep members out of the admin area.

#3 in reply to: ↑ 2 @imath
11 years ago

Replying to johnjamesjacoby:

Let's choose our capability names wisely, especially since they are currently being done piecemeal. bp_moderate was picked specifically as a replacement for our is_super_admin checks of yore.

I agree, i found this bug after having troubles with bp_moderate and configs where BuddyPress is not network activated. Because in this case, a regular admin has the same power than a super admin see #5463

#4 follow-up: @boonebgorges
11 years ago

The real issue is not that we're showing the link to About BuddyPress to non-super-admins, it's that we're allowing people to see screens and change info that they shouldn't be allowed to change. If we don't want non-super-admins to see our Settings and Tools pages, then we should be bouncing them directly from those pages. *That* is the blocker issue. If we want to hide the About BuddyPress link from certain people, that's fine too.

#5 in reply to: ↑ 4 @imath
11 years ago

Replying to boonebgorges:

The real issue is not that we're showing the link to About BuddyPress to non-super-admins, it's that we're allowing people to see screens and change info that they shouldn't be allowed to change.

I agree. The cause that opens the problem is the "About BuddyPress" WP Admin Bar link. So a quick fix is to hide it.

A real fix might be to use a capability so that we're sure using it for a menu (for example) will ensure the menu would only be showed to allowed users. It could be 'bp_moderate' if the mapping function was more strict, else a new capability ( 'bp_admin' or 'bp_manage' or 'manage_buddypress'...) that would allow 'manage_options' if single config and 'manage_network_options' if on multisite would be interesting, i think.

#6 @imath
11 years ago

  • Keywords needs-testing added

Hi,

a good night of sleep can be a good advisor :) Maybe we could just like the settings page use the setup_globals() method of the BP_Admin class to set the capability based on bp_core_do_network_admin().

That can avoid the creation of a new 'admin' capacity.

I've tested 5465.02.diff and it seems to fix the issue.

@imath
11 years ago

#7 @boonebgorges
11 years ago

  • Keywords commit added; 2nd-opinion needs-testing removed

imath - Excellent. 5465.02.diff looks like the right solution. In the situation where BP is activated on a single site in a network (so do_network_admin = false), I think it's correct that 'manage_options' is the right cap - that site's admin should be able to access settings. Thanks for the research.

#8 @imath
11 years ago

In 8139:

Check the right capabilities are used in the BP_Admin class

The introduction of the link "About BuddyPress" within the WP Admin Bar revealed that in multisite configurations, some administration menus were accessible to regular administrators when they should be restricted to the Super Administrator.
Now, the capacity used in these menus will be adapted to the configuration in which BuddyPress evolves using a "network" capacity when necessary.

props johnjamesjacoby, boonebgorges, imath

See #5465

#9 @imath
11 years ago

  • Owner set to imath
  • Resolution set to fixed
  • Status changed from new to closed

In 8140:

Check the right capabilities are used in the BP_Admin class

The introduction of the link "About BuddyPress" within the WP Admin Bar revealed that in multisite configurations, some administration menus were accessible to regular administrators when they should be restricted to the Super Administrator.
Now, the capacity used in these menus will be adapted to the configuration in which BuddyPress evolves using a "network" capacity when necessary.

props johnjamesjacoby, boonebgorges, imath

Fixes #5465

#10 @boonebgorges
11 years ago

  • Milestone changed from 1.9.3 to 2.0

Moving to 2.0 because 1.9.3 never happened.

Note: See TracTickets for help on using tickets.