Home Topic Incorrect Capabilities Checked

Change WordPress user roles and capabilities Forums Bug Reports Incorrect Capabilities Checked

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • 17/08/2018 at 19:55 #5084
    TownNews.com
    Participant

    I was defining a new role (via code) and one of my co-workers was trying to validate the settings in URE and kept telling me that capabilities I had explicitly defined as false for that role had the boxes checked in the URE UI.

    Versions bug observed in: 4.47.1, 4.47.2 (LATEST)
    Pro key entered.
    WordPress: 4.9.7, 4.9.8 (LATEST)

    What I discovered is that there’s a defect in the JavaScript (/js/ure.js:532), after the async request for get_role_caps comes back the JavaScript only checks for the presence of the property name for a capability in order to check the box next to it, but does NOT validate that the value assigned to that property is true (or truthy). For example in one of my test sites I defined one capability as true and another as false and I can see they are both checked.

    Note: This can only be observed when selecting a role via JS; if the affected role is the default role that gets selected on page load, the boxes are checked correctly (via PHP)

    Code used to define the new role:

    <?php
add_action( 'admin_init', 'sample_add_role_test' );
function sample_add_role_test() {
	$role_slug    = 'sample_role';
	$display_name = 'Sample Role';

	$capabilities = array(
		'publish_pages' => true,
		'activate_plugins' => false
	);
	$role = add_role( $role_slug, $display_name, $capabilities );
}
?>

    Response from get_role_caps:
    {"result":"success","message":"Role capabilities retrieved successfully","role_id":"sample_role","role_name":"Sample Role","caps":{"publish_pages":true,"activate_plugins":false},"options":[]}

    Result:
    Upon switching to this role in /wp-admin/users.php?page=users-user-role-editor-pro.php and observing the JS update both boxes for publish_pages and activate_plugins are selected.

    This is causing issues for us that will require revisiting all of our role settings after this fix to make sure that upon saving after selecting a role we haven’t inadvertently assigned permissions to users who were supposed to NOT have that permission by design.

    17/08/2018 at 20:00 #5085
    TownNews.com
    Participant

    The affected JavaScript looks like this:

    
    jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes
        jQuery(this).prop('checked', response.caps.hasOwnProperty(this.id));
    });

    But should be more like:

    
    jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes
		if (response.caps.hasOwnProperty(this.id) && response.caps[this.id]) {
			jQuery(this).prop('checked', true);
		} else {
			jQuery(this).prop('checked', false);
		}
    });

    This correctly checks boxes with true values and unchecks boxes with false values.

    18/08/2018 at 01:54 #5086
    Vladimir
    Keymaster

    Thanks for your help in isolating this bug. I will publish the fix.

    18/08/2018 at 11:18 #5090
    Vladimir
    Keymaster

    The fix was included into version 4.47.3, which I published today.

    20/08/2018 at 14:43 #5096
    TownNews.com
    Participant

    Thank you for your prompt response Vladimir! The new version displays capabilities as expected on my test environment.

    20/08/2018 at 14:46 #5097
    Vladimir
    Keymaster

    Excellent! Thanks for the help with testing.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.