Opened 6 years ago
Last modified 6 years ago
#7473 new enhancement
Extended Profile edit should honour WP's "edit_users" capability
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Contributions | Priority: | high |
| Severity: | major | Version: | |
| Component: | Extended Profile | Keywords: | |
| Cc: |
Description
I know this has been brought up before, but I consider this to be a major defect in BuddyPress, so I'm opening a new ticket for further discussion in the hope that it might get fixed sooner rather than later.
At the moment, to be able to edit the user's extended profile page on either the back-end or front-end requires the 'manage_options' capability, which is far too powerful to be granted if one needs a sub-admin user to be able to edit these screens.
I don't see why it's not possible to just use the standard WP roles of "edit_users" to grant access to these screens. It's a quick fix, so please fix it!
Change History (3)
#1
@
6 years ago
- Component changed from Core to Extended Profile
- Milestone changed from Awaiting Review to Future Release
- Type changed from defect (bug) to enhancement
#3
@
6 years ago
I've fixed it with a little addition to my functions.php, based on the code from bp-core-caps.php
function bgmc_enforce_bp_moderate_cap_for_admins( $caps = array(), $cap = '', $user_id = 0, $args = array() ) {
if ( 'bp_moderate' !== $cap ) return $caps; // Bail if not checking the 'bp_moderate' cap.
if ( bp_is_network_activated() ) return $caps; // Bail if BuddyPress is network activated.
if ( bp_is_user_inactive( $user_id ) ) return $caps; // Never trust inactive users.
return array( 'edit_users' ); // Only users that can 'edit_users' on this site can 'bp_moderate'.
}
remove_filter( 'map_meta_cap', '_bp_enforce_bp_moderate_cap_for_admins', 10 );
add_filter( 'map_meta_cap', 'bgmc_enforce_bp_moderate_cap_for_admins', 10, 4 );
Haven't so far noticed any adverse effects.
Hi @petervandoorn - Thanks for the ticket. I haven't seen this specific issue asked about before, but it's a good idea.
We're currently a bit constrained because of our general lack of fine-grained permission controls. #7176 has the outline of a strategy for the Activity component. Once we have the beginnings of a strategy, we can implement it for a more focused issue like this one.