Skip to:
Content

BuddyPress.org

Opened 3 years ago

Last modified 3 years ago

#7473 new enhancement

Extended Profile edit should honour WP's "edit_users" capability

Reported by: petervandoorn Owned by:
Milestone: Awaiting Contributions Priority: high
Severity: major Version:
Component: Extended Profile Keywords:
Cc:

Description

I know this has been brought up before, but I consider this to be a major defect in BuddyPress, so I'm opening a new ticket for further discussion in the hope that it might get fixed sooner rather than later.

At the moment, to be able to edit the user's extended profile page on either the back-end or front-end requires the 'manage_options' capability, which is far too powerful to be granted if one needs a sub-admin user to be able to edit these screens.

I don't see why it's not possible to just use the standard WP roles of "edit_users" to grant access to these screens. It's a quick fix, so please fix it!

Change History (3)

#1 @boonebgorges
3 years ago

  • Component changed from Core to Extended Profile
  • Milestone changed from Awaiting Review to Future Release
  • Type changed from defect (bug) to enhancement

Hi @petervandoorn - Thanks for the ticket. I haven't seen this specific issue asked about before, but it's a good idea.

We're currently a bit constrained because of our general lack of fine-grained permission controls. #7176 has the outline of a strategy for the Activity component. Once we have the beginnings of a strategy, we can implement it for a more focused issue like this one.

#2 @petervandoorn
3 years ago

Well, there's this one from 3 years ago: #5869

The thing is, as a WordPress developer I completely expected BP to follow WP's capabilities for something like this. BP is, after all, a WP plugin and should abide by WP's methods.

Thanks

#3 @petervandoorn
3 years ago

I've fixed it with a little addition to my functions.php, based on the code from bp-core-caps.php

function bgmc_enforce_bp_moderate_cap_for_admins( $caps = array(), $cap = '', $user_id = 0, $args = array() ) {
        if ( 'bp_moderate' !== $cap ) return $caps; // Bail if not checking the 'bp_moderate' cap.
        if ( bp_is_network_activated() ) return $caps; // Bail if BuddyPress is network activated.
        if ( bp_is_user_inactive( $user_id ) ) return $caps; // Never trust inactive users.
        return array( 'edit_users' ); // Only users that can 'edit_users' on this site can 'bp_moderate'.
}
remove_filter( 'map_meta_cap', '_bp_enforce_bp_moderate_cap_for_admins', 10 );
add_filter( 'map_meta_cap', 'bgmc_enforce_bp_moderate_cap_for_admins', 10, 4 );

Haven't so far noticed any adverse effects.

Note: See TracTickets for help on using tickets.