Change WordPress user roles and capabilities › Forums › Bug Reports › Show Plugins/Themes and Admin Menu Access Issues
- This topic has 16 replies, 2 voices, and was last updated 6 years, 2 months ago by DT.
-
AuthorPosts
-
12/10/2018 at 22:38 #5192DTParticipant
Hey Vladimir,
For User Role Editor Options under settings for my multisite network options I have the Show plugins/themes notices to admin only checked. You can see in the screenshot below.
https://drive.google.com/open?id=1bDFKJH-tUfmEDk1SHYCN7AEbfBagdApv
But for my editor role they can still see plugin and theme notices. For example in the screenshot below you will see that WooCommerce notices are showing on the dashboard.
I have given the editor role more capabilities than the default. But is there a certain capability that would allow the editor to see these notification / notices even though the option above is checked?https://drive.google.com/open?id=11ug5aidtV-F9A9ZojK2biOuRoaJp_k9C
Second Issue
My user role does not have the capability to delete sites. But for some reason this still shows underneath Tools as an option. I have tools blocked in the admin menu access but because they for some reason are still able to delete sites they are seeing Tools in the menu and still can delete sites.Also The visual composer page builder menu is blocked to this user role using admin access menu but again it is still showing up in the menu list. At least in this case it is redirecting to the dashboard.
Lastly I have mailgun installed on my multsite environment and there are two menu items for this. Mailgun and mailgun lists. Neither of these show up in the admin access menu for me to have blocked. They are underneath settings.
Thank you so much for your continued help
12/10/2018 at 23:28 #5193DTParticipantI just found one more issue as well. I updated my Woocommerce from version 3.4.5 to version 3.4.6 and now all of a sudden when i’m in User Role Editor in my network settings I cannot filter through the user roles. Its stuck on customer. (Select Role and change its capabilities: )*** Won’t let me choose editor, contributor etc to actually view, adjust or change their capabilities.
I tested this on my staging site as well after it broke on production with the Woocommerce update.
13/10/2018 at 01:30 #5195VladimirKeymasterHi,
About a problem with roles list – it’s a WooCommerce bug introduced at version 3.4.6.
More information:
https://wordpress.org/support/topic/woocommerce-blocks-super-admin-permissions/13/10/2018 at 01:33 #5196VladimirKeymasterI’m ready to analyse the reported issues with admin menu. The most quick way is to setup a copy of your site at my development environment. Is it possible to get files (without wp-content/uploads) and database copy of your site (may be stage one, without wp_users table) for this purpose?
13/10/2018 at 01:45 #5197DTParticipantHopefully woocommerce fixes that quickly. I rolled back to previous version for now.
I can launch a staging site for you and provide SuperAdmin access as well as SFTP access to the staging environment. Is there a safe way to deliver this information to you?
13/10/2018 at 01:49 #5198VladimirKeymasterSend credentials to support [at-sign] role-editor.com
13/10/2018 at 16:59 #5199DTParticipantI have sent the email with credentials. Please let me know what you find and if you need anything else!
16/10/2018 at 15:49 #5203DTParticipantHey Vladimir. Any update on this?
Thanks!
16/10/2018 at 16:28 #5204VladimirKeymasterHi Danny,
“Show theme/plugin notices to admin only” option at URE’s option page uses WordPress built-in admin theme CSS classes to hide HTML element simply changing its ‘display’ property to ‘none’.
I think that ‘clientside’ plugin redefines notices part HTML/CSS structure. So this URE’s simple hack stopped working.
You may try more advanced technique to force WordPress do not output such notices at all. May be it will work this way for the modified admin theme.
It’s possible to use role additional options for that. Additional option code to hide admin notices is described here.
16/10/2018 at 16:33 #5205DTParticipantThanks for the response. I look into that. What about my second issue listed?
My user role does not have the capability to delete sites. But for some reason this still shows underneath Tools as an option. I have tools blocked in the admin menu access but because they for some reason are still able to delete sites they are seeing Tools in the menu and still can delete sites.
Also The visual composer page builder menu is blocked to this user role using admin access menu but again it is still showing up in the menu list. At least in this case it is redirecting to the dashboard.
Lastly I have mailgun installed on my multsite environment and there are two menu items for this. Mailgun and mailgun lists. Neither of these show up in the admin access menu for me to have blocked. They are underneath settings.
Thank you so much for your continued help
16/10/2018 at 16:44 #5206VladimirKeymaster“Tools->Delete Site” menu item is protected by meta capability ‘delete_site’, which is mapped finally to the real ‘manage_options’ capability. Your modified ‘editor’ role has ‘manage_options’ capability. This explains 1) why user with editor role has access to the ‘Tools->Delete Site” menu item.
I made quick test and “Admin menu access” hides/blocks this menu item successfully for the WordPress built-in admin theme. I suppose that User Role Editor is not compatible with “clientside” plugin. Can you deactivate this plugin temporally and look if “Delete Site” menu item will be hidden for a user with ‘editor” role?
I will try to answer on VC and mailgun part of your question tomorrow.
16/10/2018 at 16:51 #5207DTParticipantEven when I have clientside disabled it the Tools and Delete site still show on my menu. I have left it deactivated so that you can see it still shows.
So it does not appear to be a Clientside being incompatible with URE issue. Also just to confirm MailGun and Visual Composer both still show as well with Clientside Deactivated.
16/10/2018 at 16:52 #5208VladimirKeymasterThank you for this information. I will continue tomorrow. It’s too late today here (GMT+7).
17/10/2018 at 12:25 #5209VladimirKeymasterHi,
Let me insist that Clienside plugin makes changes not compatible with WordPress default policy, and thus URE is not compatible with it.
URE shows user capability taken from the WordPress global $menu and $submenu structures. All them are shown as ‘read’.
Thus full submenus are available to the ‘editor’ role while it does not has full list of existing capabilities.Btw, ‘Delete site’ menu item was not selected for blocking. May be it was a reason while this menu item was still visible for the user with ‘editor’ role.
But the “Tools” submenu contains just 2 items which available to the ‘editor’ role according to its real capabilities. The same is correct for the other submenu.
More, “Mailgun” and “Mailgun Lists” becomes visible under the “Settings” menu. They were unselected when I made screenshot. They disappeared from the “editor” point of view after I blocked them here.
The only unresolved issue is “Page builder” welcome page menu item.
A problem is that it does not exists in admin menu while a user or role has real access to at least one of the “Page builder” menu items. This menu items is created by js-composer plugin for user who does not have access to its menu at all. So we can not block it via URE’s admin menu.It’s possible to hide it via custom code only.
My final conclusion, ‘Clientside’ is really involved to the reported problems.
I will not spent time for compatibility of URE with Clientside. The plugin should respect permissions of WordPress global structures, such as admin menu.
So if you will decide to stay with ‘Clientside’, I’m ready to refund your payment for User Role Editor.
17/10/2018 at 14:07 #5210DTParticipantI will reach out to the Clientside Developer and have him fix the permission issues that the plugin is causing. He is very responsive and willing to make his product better.
Only thing I will add is that I noticed you are looking at the admin menu options via the Sub Site. I am referring to the NETWORK control options not the sub site controls of URE. The delete site and mailgun both show on the Sub Site.
BUT Those options don’t show at all from the network URE Admin Menu Options. My Concern is if I change the network options for admin menu it will overwrite what has been set on the sub sites.
I understand you won’t make URE compatible with Clientside. I’m not asking you to and I will have the deveveloper fix permission issues so that it works with Clientside.
But can you at least answer the question regarding why mailgun and delete site only show on the subsites and not in the network control options?
Thanks again
-
AuthorPosts
- You must be logged in to reply to this topic.