#5465 closed defect (bug) (fixed)
About BuddyPress in WP Admin Bar and multisite config !!
Reported by: | imath | Owned by: | imath |
---|---|---|---|
Milestone: | 2.0 | Priority: | highest |
Severity: | blocker | Version: | 1.9 |
Component: | Administration | Keywords: | has-patch commit |
Cc: |
Description
On multisite config, BuddyPress Network activated.
- a regular Administrator of the root_blog can from the administration of this root blog click on the WP Admin Bar "About BuddyPress" link to discover the about page and :
- the BuddyPress settings menu !! from which he can deactivate the components, change the page mapping, and edit all BuddyPress settings
- the BuddyPress tools menu, from which he can hopefully do nothing :)
- a regular Administrator of a child blog sees the same link, hopefully on click, he has the wp_die() message
So i think it's really important to :
a) avoid showing the About link in th WP Admin Bar on child blogs.
b) create a specific capability like 'bp_admin' that is mapped to 'manage_options' if ! multisite() and to 'manage_network_options' in case of a multisite config where BuddyPress is network activated. I think i'll create a new ticket for this last one.
The patch only disable the About WP Admin Link on child blogs.
Attachments (2)
Change History (12)
#3
in reply to:
↑ 2
@
11 years ago
Replying to johnjamesjacoby:
Let's choose our capability names wisely, especially since they are currently being done piecemeal.
bp_moderate
was picked specifically as a replacement for ouris_super_admin
checks of yore.
I agree, i found this bug after having troubles with bp_moderate and configs where BuddyPress is not network activated. Because in this case, a regular admin has the same power than a super admin see #5463
#4
follow-up:
↓ 5
@
11 years ago
The real issue is not that we're showing the link to About BuddyPress to non-super-admins, it's that we're allowing people to see screens and change info that they shouldn't be allowed to change. If we don't want non-super-admins to see our Settings and Tools pages, then we should be bouncing them directly from those pages. *That* is the blocker issue. If we want to hide the About BuddyPress link from certain people, that's fine too.
#5
in reply to:
↑ 4
@
11 years ago
Replying to boonebgorges:
The real issue is not that we're showing the link to About BuddyPress to non-super-admins, it's that we're allowing people to see screens and change info that they shouldn't be allowed to change.
I agree. The cause that opens the problem is the "About BuddyPress" WP Admin Bar link. So a quick fix is to hide it.
A real fix might be to use a capability so that we're sure using it for a menu (for example) will ensure the menu would only be showed to allowed users. It could be 'bp_moderate' if the mapping function was more strict, else a new capability ( 'bp_admin' or 'bp_manage' or 'manage_buddypress'...) that would allow 'manage_options' if single config and 'manage_network_options' if on multisite would be interesting, i think.
#6
@
11 years ago
- Keywords needs-testing added
Hi,
a good night of sleep can be a good advisor :) Maybe we could just like the settings page use the setup_globals()
method of the BP_Admin
class to set the capability based on bp_core_do_network_admin()
.
That can avoid the creation of a new 'admin' capacity.
I've tested 5465.02.diff and it seems to fix the issue.
#7
@
11 years ago
- Keywords commit added; 2nd-opinion needs-testing removed
imath - Excellent. 5465.02.diff looks like the right solution. In the situation where BP is activated on a single site in a network (so do_network_admin
= false), I think it's correct that 'manage_options' is the right cap - that site's admin should be able to access settings. Thanks for the research.
Let's choose our capability names wisely, especially since they are currently being done piecemeal.
bp_moderate
was picked specifically as a replacement for ouris_super_admin
checks of yore.I agree there are some single/multi-site quirks with activation and admin screens. Let's try to make wise decisions about what we ultimately want users and admins to see. Our adding a menu for About BuddyPress has always felt over-the-top to me, since it's an admin screen, and we typically want to keep members out of the admin area.