Change WordPress user roles and capabilities › Forums › Bug Reports › Roles that share pages with another role results in edit access to all pages
- This topic has 5 replies, 3 voices, and was last updated 6 years, 6 months ago by Vladimir.
-
AuthorPosts
-
20/11/2017 at 21:09 #4431City DevParticipant
In my setup users have multiple roles. Everyone has a ‘Staff’ role that identifies them as employees and provides basic access to their profile and the dashboard. Then everyone has one or more ‘Department’ roles that provides the IDs of all the content they can potentially access. Finally, everyone has one or more ‘Functional’ roles that determine what functionality they actually have access to (pages, posts, forms, events, etc…). So, one can have a specific ‘Department’ role, but can’t edit the content with out the corresponding ‘Functional’ role.
This setup has worked nicely to provide flexible role control. However, I’ve discovered an issue and I’m not sure if it’s always been present or if a previous update is the culprit.
I have two ‘Department’ roles which share access to some pages. One of the ‘Department’ roles can access the parent page and all it’s children. The other role is only supposed to have access to a select number of the child pages. The role with access to the parent and children works as expected. The other role (which is supposed to be restricted to specific children), instead has access to edit every page on the site.
There are two roles that function in this manner and they are the only two roles that exhibit the issue of unrestricted access to all pages. All other roles that don’t share content with another role appear to function as expected.
21/11/2017 at 16:55 #4432VladimirKeymasterTake into account this information about multiple roles assigned to a user. URE Pro looks for restriction model (Allow, Block) set for the primary role and if other value was selected for other roles, edit restrictions settings made for other role are ignored. Check if it’s your case. May be you need to grant to a user a role with edit restrictions as a primary one, or set the same restriction model for all roles granted to a user.
29/11/2017 at 20:09 #4451City DevParticipantWith that info I was able to locate the problem.
All roles are set to ‘Allow’ with the exception of one functional role I created for media access. That role was set to ‘Deny’. Once set to ‘Allow’ the problem was fixed.
06/06/2018 at 11:01 #4923csoftintlParticipantI am facing a similar issue.. I have also setup my roles with a somewhat hierarchical structure.
– Everyone is an
employee
(primary, automatic upon registration)
– Certain roles are cumulative (sales or upper-management, for example)– everyone sees content aimed at
employee
– fewer see content aimed atsales
but see all content foremployee
– even fewer see content aimed atmanagement
, but see all content forsales
andemployee
.I found that when I limit content visibility of post categories for
sales
, my sales user cannot see the content because they are alsoemployee
.any possible workarounds?
07/06/2018 at 10:55 #4929VladimirKeymasterWhen I will return to my computer after 2 days trip, I will make more tests on the subject and inform you about the results.
11/06/2018 at 03:57 #4939VladimirKeymasterTo @csoftintl:
View restrictions for role includes blocking model: “selected” or “not selected”. When user has more than 1 role, URE takes into account view criteria from those role only, which blocking model is the same as one set for the primary role.
Do you use the same blocking model for all roles assigned to the same user? -
AuthorPosts
- You must be logged in to reply to this topic.