- This topic has 37 replies, 2 voices, and was last updated 7 years ago by
.
-
Posts
-
Hi Vladimir,
It looks like we have the same (or a similar) bug again. This time with the plugin Real Media Library (https://codecanyon.net/item/wordpress-real-media-library-media-categories-folders/13155134). If I chose a RML-folder (e.g. https://fclandquart.ch/wp-admin/upload.php?rml_folder=1), then I’m forwarded to the dashboard instead of accessing the requested folder, which is exactly the same issue as I had in the previous posts above. If I deactivate the user role editor pro, everything works correctly.
Thanks for fixing it.
Best,
UrsHi Urs,
It’s not a bug, it’s a feature for custom URL arguments added by plugins. “Block not selected” is too restrictive. It blocks any URL which belongs to the admin menu but differs from the selected/allowed by the list of arguments. When you discover this for WP built-in features – it’s a bug. I include a fix into URE Pro directly. If URL argument comes from some plugin: for popular plugin I can add support for such plugin directly to URE Pro. For others – there is a special filter in URE Pro, which allows to change the list of allowed arguments for URL. Take a code below and insert it to your active theme functions.php file or set it as a Must Use plugin:
add_filter('ure_admin_menu_access_allowed_args', 'ure_allow_arg_for_upload', 10, 1); function ure_allow_arg_for_upload($args) { $args['upload.php'][''][] = 'rml_folder'; return $args; }This should fix your problem with redirection from this URL for restricted role.
Hi Vladimir,
Thanks so much for your reply! I think now I finally got what the issue actually is about. Thanks for the code, I added a mu-plugin which works fine.
So, if URE Pro blocks legitimate url arguments, then of course other customers will have the same issue too, as the number of url arguments is endless and this of course is an issue. The mu-plugin works, but this is rather a workaround then a proper solution. Therefore, I’d suggest to complement URE Pro with the option of a “url arguments whitelist”. Maybe you already know Bullet Proof Security Pro. This plugin does a similar thing. It blocks all plugin scripts by default and then provides a whitelist for legitimate scripts. All the plugin scripts get added to a textbox separated by commas – that’s it. I could imagine something similar for URE Pro. What do you think about this idea?
Best wishes,
UrsYes, you suggested exactly the same solution, about which I think myself. Thank you.
Yes, I plan to write a module to manage a white list of arguments for the admin menu links.Hi Vladimir,
Now, as I have activated the LayerSlider Plugin where I get the same issue within the editor using the following url:
/wp-admin/admin.php?page=layerslider&action=edit&id=1What does the code above has to look like if the url is much longer like this?
Hi Urs,
Code for LayerSlider URL arguments will be:
add_filter('ure_admin_menu_access_allowed_args', 'ure_allow_arg_for_admin', 10, 1); function ure_allow_arg_for_admin($args) { $args['admin.php']['layerslider'][] = 'id'; $args['admin.php']['layerslider'][] = 'action'; $args['admin.php']['layerslider'][] = '_wpnonce'; return $args; }Hi Vladimir,
Thank you very much! Is the line with _wpnonce actually needed? As the url does not contain more arguments the code also works without this line…
Thanks
- You must be logged in to reply to this topic.
