Change WordPress user roles and capabilities › Forums › Bug Reports › Incorrect Capabilities Checked
- This topic has 5 replies, 2 voices, and was last updated 6 years, 4 months ago by Vladimir.
-
AuthorPosts
-
17/08/2018 at 19:55 #5084TownNews.comParticipant
I was defining a new role (via code) and one of my co-workers was trying to validate the settings in URE and kept telling me that capabilities I had explicitly defined as false for that role had the boxes checked in the URE UI.
Versions bug observed in: 4.47.1, 4.47.2 (LATEST)
Pro key entered.
WordPress: 4.9.7, 4.9.8 (LATEST)What I discovered is that there’s a defect in the JavaScript (/js/ure.js:532), after the async request for
get_role_caps
comes back the JavaScript only checks for the presence of the property name for a capability in order to check the box next to it, but does NOT validate that the value assigned to that property is true (or truthy). For example in one of my test sites I defined one capability as true and another as false and I can see they are both checked.Note: This can only be observed when selecting a role via JS; if the affected role is the default role that gets selected on page load, the boxes are checked correctly (via PHP)
Code used to define the new role:
<?php add_action( 'admin_init', 'sample_add_role_test' ); function sample_add_role_test() { $role_slug = 'sample_role'; $display_name = 'Sample Role'; $capabilities = array( 'publish_pages' => true, 'activate_plugins' => false ); $role = add_role( $role_slug, $display_name, $capabilities ); } ?>
Response from
get_role_caps
:
{"result":"success","message":"Role capabilities retrieved successfully","role_id":"sample_role","role_name":"Sample Role","caps":{"publish_pages":true,"activate_plugins":false},"options":[]}
Result:
Upon switching to this role in /wp-admin/users.php?page=users-user-role-editor-pro.php and observing the JS update both boxes for publish_pages and activate_plugins are selected.This is causing issues for us that will require revisiting all of our role settings after this fix to make sure that upon saving after selecting a role we haven’t inadvertently assigned permissions to users who were supposed to NOT have that permission by design.
17/08/2018 at 20:00 #5085TownNews.comParticipantThe affected JavaScript looks like this:
jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes jQuery(this).prop('checked', response.caps.hasOwnProperty(this.id)); });
But should be more like:
jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes if (response.caps.hasOwnProperty(this.id) && response.caps[this.id]) { jQuery(this).prop('checked', true); } else { jQuery(this).prop('checked', false); } });
This correctly checks boxes with
true
values and unchecks boxes withfalse
values.18/08/2018 at 01:54 #5086VladimirKeymasterThanks for your help in isolating this bug. I will publish the fix.
18/08/2018 at 11:18 #5090VladimirKeymasterThe fix was included into version 4.47.3, which I published today.
20/08/2018 at 14:43 #5096TownNews.comParticipantThank you for your prompt response Vladimir! The new version displays capabilities as expected on my test environment.
20/08/2018 at 14:46 #5097VladimirKeymasterExcellent! Thanks for the help with testing.
-
AuthorPosts
- You must be logged in to reply to this topic.