Forum Replies Created

Viewing 15 posts - 316 through 330 (of 2,514 total)
  • Author
    Posts
  • Vladimir
    Keymaster

    GraphQL plugin uses ‘manage_options’ user capability to protect all its admin menu items.

    You can grant ‘manage_options’ to your role, then block unneeded menu items using Admin menu blocking add-on.

    in reply to: WOOCOMMERCE PRODUCT FEED PRO for #7572
    Vladimir
    Keymaster

    Hi,

    This plugin uses ‘manage_options’ user capability to protect its menu/submenu items.

    in reply to: Gravity Forms Add Ons Permissions Missing #7569
    Vladimir
    Keymaster

    Hi,

    If it’s applicable, send admin login credentials to support [at-sign] role-editor.com
    I will look on the issue on site.

    in reply to: Admin Menu redirects to dashboard #7565
    Vladimir
    Keymaster

    Read carefully the “Block not selected” part of the documentation article.

    in reply to: Gravity Forms Add Ons Permissions Missing #7563
    Vladimir
    Keymaster

    “Gravity Forms Add-Ons” section is provided by Gravity Forms itself via GFAddOn (includes/addon/class-gf-addon.php) class.
    My test showed that this group is filled by caps as expected. I may suppose that some active add-on can break the data structures used for this. Try to deactivate temporary all GF addons and activate them back one by one with test repeated to check if this is true assumption and isolate a conflict.

    in reply to: permissions settings for woocommerce and others #7561
    Vladimir
    Keymaster

    Admin notification for 3: I don’t have a solution on hands. In theory custom code hooked to the post status change (e.g. transition_post_status) from ‘draft’ to ‘pending’ may resolve this task.

    in reply to: permissions settings for woocommerce and others #7559
    Vladimir
    Keymaster

    1, 2 – It’s possible to setup via “Edit restrictions add-on“. Activate it, then open “Edit post” dialog for a role and select “Own data only”.

    3 – You had to use as a base role for the starting point the contributor role, not the author. Revoke from a role these capabilities: ‘publish_posts’, ‘publish_products’, ‘edit_published_posts’, ‘edit_published_products’, ‘delete_published_posts’, ‘delete_published_products’.

    4. You can not control with URE what fields are shown at the front-end product page.

    in reply to: When URE is enabled WpUltimo throws an error #7550
    Vladimir
    Keymaster

    Is WpUltimo alailable at wordpress.org/plugins or is it commercial product. I need access to its copy to check the issue.

    Can you share the full stack of from PHP. It should show from where remove_user_from_block() function is called and what code send to it WP_Error object instead of integer value in $user_id variable.

    Vladimir
    Keymaster

    In general, WordPress checks delete_posts capability for images and additionally if user can delete post to which image is attached. So delete_others_posts capability may be required in that case.

    If option “Force custom post types to use own user capabilities” is turned ON at URE’s Settings, then ‘delete_attachments’, ‘delete_others_attachments’ may be required the same way as with posts capabilities mentioned above.

    in reply to: Multisite give user rights to add and to a page #7541
    Vladimir
    Keymaster

    Is URE network activated?
    Or is it activate for the single subsite?

    in reply to: Multisite give user rights to add and to a page #7539
    Vladimir
    Keymaster

    Hi,

    1st, decide if you trust this person enough. Using script tags may lead to the permissions compromising and vulnerable.

    2nd, go to the “Network Admin -> Settings -> User Role Editor -> Multisite” tab and turn ON the Enable "unfiltered_html" capability option.

    3rd, go to the site where you user has ‘administrator’ role and open ‘Users->User Role Editor’, select ‘administrator’ role, turn ON the ‘unfiltered_html’ capability. It’s located at the ‘Deprecated’ group.

    in reply to: add_menu_page #7534
    Vladimir
    Keymaster

    Hi,

    Replace ‘administrator’ role ID at the add_menu_page() call with ‘manage_woocommerce’ user capability, which is available by default for the administrator and shop_manager roles only.

    in reply to: Ability for Editor to add and see tags #7533
    Vladimir
    Keymaster

    Thank you for this enhancement suggestion. I will add a suitable filter with one of the next update.

    in reply to: Duplicate product – shop manager #7532
    Vladimir
    Keymaster

    Hi Michele,

    WooCommerce by default uses ‘manage_woocommerce’ capability for ‘Duplicate’ link under products. It’s possible to replace it with something other using provide custom filter ‘woocommerce_duplicate_product_capability’, like this:

    
    add_filter('woocommerce_duplicate_product_capability', 'wc_duplicate_product_cap', 10, 1);
    function wc_duplicate_product_cap( $cap ) {
      $cap = 'edit_products';
      return $cap;
    }
    
    in reply to: User logout without confirmation? #7525
    Vladimir
    Keymaster

    Hi,

    Such confirmation comes out from the check_admin_referer('log-out'); function call, which if it does not find the valid _wpnonce value at logout URL shows the mentioned page with logout confirmation request:

    
    function wp_nonce_ays( $action ) {
    	if ( 'log-out' === $action ) {
    		$html = sprintf(
    			/* translators: %s: Site title. */
    			__( 'You are attempting to log out of %s' ),
    			get_bloginfo( 'name' )
    		);
    		$html       .= '</p><p>';
    		$redirect_to = isset( $_REQUEST['redirect_to'] ) ? $_REQUEST['redirect_to'] : '';
    		$html       .= sprintf(
    			/* translators: %s: Logout URL. */
    			__( 'Do you really want to <a href="%s">log out</a>?' ),
    			wp_logout_url( $redirect_to )
    		);
    	}
    

    As a workaround you can use the code below, which just ignores the result of _wpnonce checking:

    
    add_action( 'check_admin_referer', 'logout_without_confirm', 10, 2 );
    
    function logout_without_confirm( $action, $result ) {
        if ( $action!=='log-out' ) {
            return;
        }
        
        if ( $result ) {
            return;
        }
        
        // It's a copy of logout code from wp-login.php, from line #666, just after check_admin_referer( 'log-out' ); call
        $user = wp_get_current_user();
    
        wp_logout();
    
        if (!empty($_REQUEST['redirect_to'])) {
            $redirect_to = $_REQUEST['redirect_to'];
            $requested_redirect_to = $redirect_to;
        } else {
            $redirect_to = add_query_arg(
                array(
                'loggedout' => 'true',
                'wp_lang' => get_user_locale($user),
                ), wp_login_url()
            );
    
            $requested_redirect_to = '';
        }
    
        /**
         * Filters the log out redirect URL.
         *
         * @since 4.2.0
         *
         * @param string  $redirect_to           The redirect destination URL.
         * @param string  $requested_redirect_to The requested redirect destination URL passed as a parameter.
         * @param WP_User $user                  The WP_User object for the user that's logging out.
         */
        $redirect_to = apply_filters('logout_redirect', $redirect_to, $requested_redirect_to, $user);
    
        wp_safe_redirect($redirect_to);
        exit;
        
    }
    

    I think it’s safe as there is nothing more safer than just logout currently logged in user without any other conditions.

Viewing 15 posts - 316 through 330 (of 2,514 total)