Skip to:
Content

BuddyPress.org

Opened 5 years ago

Last modified 3 years ago

#5869 new defect (bug)

Users with 'bp_moderate' capability required to also have 'manage_options' capability

Reported by: ryanjhale Owned by:
Milestone: Awaiting Contributions Priority: normal
Severity: normal Version: 1.6
Component: Core Keywords: needs-patch
Cc:

Description

After creating a new WordPress role with the bp_moderate capability, the Groups and Activity admin menus are not displayed. Below are the capabilities of the user in this new role along with a screenshot of what the user sees.

Screenshot:

https://www.dropbox.com/s/jyu4pign0aaghlt/Screen%20Shot%202014-09-09%20at%2010.13.46%20AM.png?dl=0

Capabilities available with role:

activate_plugins => false,
delete_others_pages => true,
delete_others_posts => true,
delete_pages => true,
delete_plugins => false,
delete_posts => true,
delete_private_pages => true,
delete_private_posts => true,
delete_published_pages => true,
delete_published_posts => true,
edit_dashboard => false,
edit_files => false,
edit_others_pages => true,
edit_others_posts => true,
edit_pages => true,
edit_posts => true,
edit_private_pages => true,
edit_private_posts => true,
edit_published_pages => true,
edit_published_posts => true,
edit_theme_options => false,
export => true,
import => false,
list_users => true,
manage_categories => true,
manage_links => true,
manage_options => false,
moderate_comments => true,
promote_users => true,
publish_pages => true,
publish_posts => true,
read_private_pages => true,
read_private_posts => true,
read => true,
remove_users => true,
switch_themes => false,
upload_files => true,
update_core => false,
update_plugins => false,
update_themes => false,
install_plugins => false,
install_themes => false,
delete_themes => false,
edit_plugins => false,
edit_themes => false,
edit_users => true,
create_users => true,
delete_users => true,
unfiltered_html => true,
bp_moderate => true

It appears that the user should be able to see these menus as it appears that bp_moderate is the capability required to see the menu. From bp-groups/bp-groups-admin.php:

$hook = add_menu_page(
( ‘Groups’, ‘buddypress’ ),
( ‘Groups’, ‘buddypress’ ),
‘bp_moderate’,
‘bp-groups’,
‘bp_groups_admin’,
‘div’
);

Side note: If I set manage_options => true, the menus display correctly, but that is not desired in this case.

Attachments (2)

5869.01.patch (701 bytes) - added by r-a-y 5 years ago.
5869.02.patch (1.4 KB) - added by r-a-y 5 years ago.

Download all attachments as: .zip

Change History (19)

#1 @r-a-y
5 years ago

  • Keywords dev-feedback added
  • Milestone changed from Awaiting Review to 2.2
  • Summary changed from bp_moderate capability doesn't allow access to Groups and Activity admin menus to Users with 'bp_moderate' capability required to also have 'manage_options' capability
  • Version set to 1.6

Thanks for reporting this, ryanjhale.

I took a closer look at why the 'manage_options' cap is required even though the 'bp_moderate' cap is set for a user and it appears this is a holdover from an earlier implementation of 'map_meta_caps'.

It appears that BP forces users with the 'bp_moderate' cap to also have the 'manage_options' cap on single site. See:
https://buddypress.trac.wordpress.org/browser/tags/2.0.2/bp-core/bp-core-caps.php#L199

For v2.2, we'll probably need to audit capabilities with BuddyPress (see #5121) before tackling this.

Last edited 5 years ago by r-a-y (previous) (diff)

@r-a-y
5 years ago

#2 @r-a-y
5 years ago

  • Keywords has-patch added; dev-feedback removed

01.patch is a quick fix. It grabs the user's capabilities and does an explicit check for the 'bp_moderate' cap. If the user does not have this cap, we disallow the cap.

Did some quick testing and this works. Only thing is the WP Toolbar appears to be missing the "Edit Member" menu item when on a BP user page, but should be easy to fix.

#3 @DJPaul
5 years ago

bp_moderate has never been fully implemented, I am not surprised there are problems with it.

#4 @ryanjhale
5 years ago

@r-a-y, it looks like there may be some downstream ramifications for this fix. After doing some testing, I've noticed that my xprofile users submenu disappeared after applying the patch.

#5 @r-a-y
5 years ago

After doing some testing, I've noticed that my xprofile users submenu disappeared after applying the patch.

I already noted that. See the latter part of comment:2.

This only applies to your new role with only the 'bp_moderate' cap. Regular admins should still work.

Like I mentioned, this is easy to fix. 02.patch should address this. You can either use 02.patch or add the edit_users cap to your custom role.

Last edited 5 years ago by r-a-y (previous) (diff)

@r-a-y
5 years ago

#6 @ryanjhale
5 years ago

Sorry, I should have been more clear. I'm seeing this problem when logged in as a regular admin.

#7 @r-a-y
5 years ago

Can you elaborate what you mean by this - "I've noticed that my xprofile users submenu"?

#8 @ryanjhale
5 years ago

Yes, after I applied the patch, when logged in as the site admin, the Profile Fields submenu within the Users menu in admin disappears.

#9 @r-a-y
5 years ago

I'm logged in as an administrator and the "Users > Profile Fields" menu item shows up for me on single-site. Haven't tested multisite, but that should work as well.

That page requires the 'manage_options' cap, which should work if you are an admin.

#10 @ryanjhale
5 years ago

Strange. OK, maybe I have something else going on here. I'm on a single site as well. I'll do some more digging. Thanks.

#11 @ryanjhale
5 years ago

For what it is worth, I was able to get Users > Profile Fields to show up if I explicitly added bp_moderate to the administrator's role. But without it, I wasn't able to access. Maybe that's exactly what you intended?

#12 @r-a-y
5 years ago

Maybe that's exactly what you intended?

No, that's not what I intended.

The "Users > Profile Fields" page requires the 'manage_options' capability:
https://buddypress.trac.wordpress.org/browser/tags/2.0.2/bp-xprofile/bp-xprofile-admin.php#L27

Administrators should have the 'manage_options' cap by default.

Is it possible for you to test on a fresh dev environment of BP 2.0.2 without any patches and confirm that everything is working? Then apply the patch and see if the same problem pops back again?

#13 @ryanjhale
5 years ago

Happy to help. Unfortunately, I'm seeing the exact same thing that I saw before. Here are the steps I took:

-- New install of WP 4.0
-- Install BP 2.0.2
-- Turned on the BP settings to make sure everything was enabled.
-- Confirmed that Profile Fields displayed in the Users menu.
-- Applied the patch
-- Rechecked (unsuccessfully) to see if the Profile Fields link was there. It wasn't.

I took some screenshots and put them in a Google Slides presentation if it would be helpful to double-check:

https://docs.google.com/presentation/d/1M6j78N3sKegpXCAGKo_88AOCqIaAdSHUzscbJjFbzHA/edit?usp=sharing

One thing that I did look at before I reported this earlier is that the function that displays that submenu has an if statement that checks for bp_moderate. Not certain if that is completely relevant, but since there is an explicit check now, it made me wonder and that is why I decided to try out putting bp_moderate in the administrator's capabilities, which as I mentioned, did work.

function xprofile_add_admin_menu() {

	if ( !bp_current_user_can( 'bp_moderate' ) )
		return false;

	add_users_page( __( 'Profile Fields', 'buddypress' ), __( 'Profile Fields', 'buddypress' ), 'manage_options', 'bp-profile-setup', 'xprofile_admin' );
}

#14 @DJPaul
5 years ago

  • Keywords needs-patch added; has-patch removed
  • Milestone changed from 2.2 to Future Release

I think this needs some planning and consideration around the issues in general, I don't think we'll get to it for 2.2.

#15 @DJPaul
5 years ago

  • Component changed from Core to Roles/Capability

This ticket was mentioned in Slack in #buddypress by thebrandonallen. View the logs.


4 years ago

#17 @DJPaul
3 years ago

  • Component changed from API - Roles/Capability to Core
Note: See TracTickets for help on using tickets.