Opened 10 years ago
Closed 4 months ago
#5869 closed defect (bug) (worksforme)
Users with 'bp_moderate' capability required to also have 'manage_options' capability
Reported by: | ryanjhale | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 1.6 |
Component: | Core | Keywords: | needs-patch |
Cc: |
Description
After creating a new WordPress role with the bp_moderate capability, the Groups and Activity admin menus are not displayed. Below are the capabilities of the user in this new role along with a screenshot of what the user sees.
Screenshot:
https://www.dropbox.com/s/jyu4pign0aaghlt/Screen%20Shot%202014-09-09%20at%2010.13.46%20AM.png?dl=0
Capabilities available with role:
activate_plugins => false,
delete_others_pages => true,
delete_others_posts => true,
delete_pages => true,
delete_plugins => false,
delete_posts => true,
delete_private_pages => true,
delete_private_posts => true,
delete_published_pages => true,
delete_published_posts => true,
edit_dashboard => false,
edit_files => false,
edit_others_pages => true,
edit_others_posts => true,
edit_pages => true,
edit_posts => true,
edit_private_pages => true,
edit_private_posts => true,
edit_published_pages => true,
edit_published_posts => true,
edit_theme_options => false,
export => true,
import => false,
list_users => true,
manage_categories => true,
manage_links => true,
manage_options => false,
moderate_comments => true,
promote_users => true,
publish_pages => true,
publish_posts => true,
read_private_pages => true,
read_private_posts => true,
read => true,
remove_users => true,
switch_themes => false,
upload_files => true,
update_core => false,
update_plugins => false,
update_themes => false,
install_plugins => false,
install_themes => false,
delete_themes => false,
edit_plugins => false,
edit_themes => false,
edit_users => true,
create_users => true,
delete_users => true,
unfiltered_html => true,
bp_moderate => true
It appears that the user should be able to see these menus as it appears that bp_moderate is the capability required to see the menu. From bp-groups/bp-groups-admin.php:
$hook = add_menu_page(
( ‘Groups’, ‘buddypress’ ),
( ‘Groups’, ‘buddypress’ ),
‘bp_moderate’,
‘bp-groups’,
‘bp_groups_admin’,
‘div’
);
Side note: If I set manage_options => true, the menus display correctly, but that is not desired in this case.
Attachments (2)
Change History (20)
#1
@
10 years ago
- Keywords dev-feedback added
- Milestone changed from Awaiting Review to 2.2
- Summary changed from bp_moderate capability doesn't allow access to Groups and Activity admin menus to Users with 'bp_moderate' capability required to also have 'manage_options' capability
- Version set to 1.6
#2
@
10 years ago
- Keywords has-patch added; dev-feedback removed
01.patch
is a quick fix. It grabs the user's capabilities and does an explicit check for the 'bp_moderate'
cap. If the user does not have this cap, we disallow the cap.
Did some quick testing and this works. Only thing is the WP Toolbar appears to be missing the "Edit Member" menu item when on a BP user page, but should be easy to fix.
#3
@
10 years ago
bp_moderate
has never been fully implemented, I am not surprised there are problems with it.
#4
@
10 years ago
@r-a-y, it looks like there may be some downstream ramifications for this fix. After doing some testing, I've noticed that my xprofile users submenu disappeared after applying the patch.
#5
@
10 years ago
After doing some testing, I've noticed that my xprofile users submenu disappeared after applying the patch.
I already noted that. See the latter part of comment:2.
This only applies to your new role with only the 'bp_moderate'
cap. Regular admins should still work.
Like I mentioned, this is easy to fix. 02.patch
should address this. You can either use 02.patch
or add the edit_users
cap to your custom role.
#6
@
10 years ago
Sorry, I should have been more clear. I'm seeing this problem when logged in as a regular admin.
#7
@
10 years ago
Can you elaborate what you mean by this - "I've noticed that my xprofile users submenu"?
#8
@
10 years ago
Yes, after I applied the patch, when logged in as the site admin, the Profile Fields submenu within the Users menu in admin disappears.
#9
@
10 years ago
I'm logged in as an administrator and the "Users > Profile Fields
" menu item shows up for me on single-site. Haven't tested multisite, but that should work as well.
That page requires the 'manage_options'
cap, which should work if you are an admin.
#10
@
10 years ago
Strange. OK, maybe I have something else going on here. I'm on a single site as well. I'll do some more digging. Thanks.
#11
@
10 years ago
For what it is worth, I was able to get Users > Profile Fields to show up if I explicitly added bp_moderate to the administrator's role. But without it, I wasn't able to access. Maybe that's exactly what you intended?
#12
@
10 years ago
Maybe that's exactly what you intended?
No, that's not what I intended.
The "Users > Profile Fields"
page requires the 'manage_options'
capability:
https://buddypress.trac.wordpress.org/browser/tags/2.0.2/bp-xprofile/bp-xprofile-admin.php#L27
Administrators should have the 'manage_options'
cap by default.
Is it possible for you to test on a fresh dev environment of BP 2.0.2 without any patches and confirm that everything is working? Then apply the patch and see if the same problem pops back again?
#13
@
10 years ago
Happy to help. Unfortunately, I'm seeing the exact same thing that I saw before. Here are the steps I took:
-- New install of WP 4.0
-- Install BP 2.0.2
-- Turned on the BP settings to make sure everything was enabled.
-- Confirmed that Profile Fields displayed in the Users menu.
-- Applied the patch
-- Rechecked (unsuccessfully) to see if the Profile Fields link was there. It wasn't.
I took some screenshots and put them in a Google Slides presentation if it would be helpful to double-check:
One thing that I did look at before I reported this earlier is that the function that displays that submenu has an if statement that checks for bp_moderate. Not certain if that is completely relevant, but since there is an explicit check now, it made me wonder and that is why I decided to try out putting bp_moderate in the administrator's capabilities, which as I mentioned, did work.
function xprofile_add_admin_menu() { if ( !bp_current_user_can( 'bp_moderate' ) ) return false; add_users_page( __( 'Profile Fields', 'buddypress' ), __( 'Profile Fields', 'buddypress' ), 'manage_options', 'bp-profile-setup', 'xprofile_admin' ); }
#14
@
10 years ago
- Keywords needs-patch added; has-patch removed
- Milestone changed from 2.2 to Future Release
I think this needs some planning and consideration around the issues in general, I don't think we'll get to it for 2.2.
Thanks for reporting this, ryanjhale.
I took a closer look at why the
'manage_options'
cap is required even though the'bp_moderate'
cap is set for a user and it appears this is a holdover from an earlier implementation of'map_meta_caps'
.It appears that BP forces users with the
'bp_moderate'
cap to also have the'manage_options'
cap on single site. See:https://buddypress.trac.wordpress.org/browser/tags/2.0.2/bp-core/bp-core-caps.php#L199
For v2.2, we'll probably need to audit capabilities with BuddyPress (see #5121) before tackling this.