[Vladimir]

Update: as function can accept parameter $user_id, we have to check not current user only, but a user with ID equal $user_id value:

    public static function can_manage_data($user_id = 0) {

        if ($user_id === 0) {
            $user = wp_get_current_user();
        } else {
            $user = get_userdata($user_id);
        }
/*
        if (in_array('administrator', $user->roles) OR in_array('editor', $user->roles)) {
            return TRUE;
        }
*/
        if ( user_can( $user, 'edit_others_posts') ) {
            return TRUE;
        }

        return FALSE;
    }

[Vladimir]

Fix is possible, if you are ready to edit this plugin code.
Replace can_manage_data() function at bulk-editor/classes/helper.php file (#356) with the version below. It allows to use plugin to any user who can ‘edit_others_posts’:

    public static function can_manage_data($user_id = 0) {

        if ($user_id === 0) {
            $user = wp_get_current_user();
        } else {
            $user = get_userdata($user_id);
        }
/*
        if (in_array('administrator', $user->roles) OR in_array('editor', $user->roles)) {
            return TRUE;
        }
*/
        if ( current_user_can('edit_others_posts') ) {
            return TRUE;
        }

        return FALSE;
    }

Take into account that you have to repeat this editing after any plugin update.

[Vladimir]

WPBE plugin developer decides that this plugin should be available only to users with ‘administrator’ or ‘editor’ role. Instead of user capability, which you would grant to any custom role, plugin checks directly ‘administrator’ and ‘editor’ role before add its menu page:

if (WPBE_HELPER::can_manage_data()) {
    add_action('admin_menu', function() {
                add_menu_page(esc_html('WPBE Bulk Editor', 'bulk-editor'), esc_html('WPBE Bulk Editor', 'bulk-editor'), 'publish_posts', 'wpbe', function() {
                    $this->print_plugin_options();
                }, 'dashicons-hammer', 90);
            }, 99);
}

public static function can_manage_data($user_id = 0) {

    if ($user_id === 0) {
        $user = wp_get_current_user();
    } else {
        $user = get_userdata($user_id);
    }
    // !!! this condition does not allow custom roles to use this plugin 
    if (in_array('administrator', $user->roles) OR in_array('editor', $user->roles)) {
        return TRUE;
    }

    return FALSE;
}

[Vladimir]

Hi,

URE uses WP_User::add_role() method (wp-includes/class-wp-user.php, #536 (WP v. 5.7) in this case, which fires this action

do_action( 'add_user_role', $this->ID, $role );

Check current page and additional parameters to execute your own hook only for the “Users” page and “Add Role” bulk action, not for other cases. For example, URE itself checks this:

if ( ( !empty( $_REQUEST['ure_add_role'] ) && !empty( $_REQUEST['ure_add_role_submit']) ) || ( !empty( $_REQUEST['ure_add_role_2'] ) && !empty( $_REQUEST['ure_add_role_submit_2'] ) ) ) {
// do something ...

[Vladimir]

Hi David!

Thanks for the remind and references on possibly useful code references from existing plugins.

Sure. This feature is a must have for User Role Editor Pro and I still plan to realize it.
I can not tell an exact time when I will be ready to introduce it though. So please wait a little bit more…

[Vladimir]

Hi,

Generally, it should work with new version. Custom roles and capabilities are will be in place.
4.5.1 was so long ago though. Max. problem you may meet – to re-configure manually the settings for some add-on, like “Admin menu access”.

[Vladimir]

Thanks. Quick check showed that WPMF does not use ‘ure_manage_options’ capability. Btw., for any permission check WPMF applies filter ‘wpmf_user_can’. So it’s possible to change, what permission it requires.

Re-thinking on the problem, I recalled that ‘edit restrictions’ set for a user automatically restricts the Media Library items available to this user – he sees only own items by default. More, if user can ‘ure_manage_options’, then ‘edit restrictions’ are not applied to him. So it would be a real reason of the described issue with access to the Media Library items inside WPMF, inspite of its internal access options.

Try to add this custom filter. It switches off the restrictions to the list of Media Library items available to a user with edit restrictions set.

[Vladimir]

OK. Thanks for sharing.

[Vladimir]

ure_manage_options – is the internal for User Role Editor user capability. If user can it, URE count it superadmin for URE itself. Thus URE does not restrict such user in any manner.

I doubt that WPMF checks ure_manage_options. It is more probable WordPress internal ‘manage_options’, which it may search as a substring occurrence in the user capabilities serialized value – just assumption. I can not say more without access to the WPMF source code. If you share it with support [at-sign] role-editor.com via Google Drive or similar, I may give you more details.

[Vladimir]

Hi,

One of the updates included into the recent version 4.59.2:
– Option “Force custom post types to use their own capabilities” replaces default capabilities for the custom taxonomies also. It takes the slug of the 1st post type associated with such taxonomy (e.g. ‘video’) and builds own capabilities this way: manage_terms->manage_video_terms, edit_terms->edit_video_terms, delete_terms->delete_video_terms, assign_terms->assign_video_terms. URE automatically adds such capabilities to the ‘administrator’ role. You have to grant these new capabilities to other roles manually.

Filter custom capabilities by word ‘terms’ via ‘Quick Search’ and grant needed capabilities to needed role.

[Vladimir]

Hi,

You have to resolve this issue with Tutor LMS developers.

Tutor LMS automatically restricts all users, who are don’t have role ‘administrator’, but have role ‘tutor_instructor’, by posts created by current user – for all post types, including WooCommerce products, orders, etc. I think, this is a bug, and they should restrict access for the own custom post types only, not for all as they do currently.

I tested free version of Tutor LMS. I granted to user with editor role the 2nd role – tutor_instructor. Editor automatically lost access to the all posts and pages except his own.

Here is the code responsible for the problem (tutor/classes/Admin.php):

add_action('admin_init', array($this, 'filter_posts_for_instructors'));

...

/**
 * Filter posts for instructor
 */
public function filter_posts_for_instructors(){
	if ( ! current_user_can('administrator') && current_user_can(tutor()->instructor_role)){
		@remove_menu_page( 'edit-comments.php' ); //Comments
		add_filter( 'posts_clauses_request', array($this, 'posts_clauses_request') );
	}
}

public function posts_clauses_request($clauses){
	global $wpdb;

	$user_id = get_current_user_id();

	$get_assigned_courses_ids = $wpdb->get_col($wpdb->prepare("SELECT meta_value from {$wpdb->usermeta} WHERE meta_key = '_tutor_instructor_course_id' AND user_id = %d", $user_id));

	$custom_author_query = "AND {$wpdb->posts}.post_author = {$user_id}";
	if (is_array($get_assigned_courses_ids) && count($get_assigned_courses_ids)){
		$in_query_pre = implode(',', $get_assigned_courses_ids);
		$custom_author_query = "  AND ( {$wpdb->posts}.post_author = {$user_id} OR {$wpdb->posts}.ID IN({$in_query_pre}) ) ";
	}

	$clauses['where'] .= $custom_author_query;

	return $clauses;
}

[Vladimir]

Role should can at least ‘read’ capability in order have access to admin backend.
Then follow the steps described at “this article for similar task.

[Vladimir]

Hi,

Thank you.

[Vladimir]

Hi,

According to WordPress built-in permissions logic:
– User can not edit any posts if he does not have ‘edit_posts’. User can not edit posts created by other users if he does not have ‘edit_others_posts’.

Thus, ‘edit_posts’, ‘edit_others_posts’ capabilities are required both in order user can edit posts created by other users.

URE shows ‘with author user ID’ field for user or role if it can at least ‘edit_others_posts’ or ‘edit_others_pages’ and restricts posts available for editing by posts created only by users which ID are listed in this field.

I can just suppose according to your description, that some other plugin may change default WordPress permissions logic. Try temporally deactivate all plugins except URE Pro and test what posts are available for editing to restricted user. If it will work as expected, activate plugins back one by one with new test in order to isolate a conflict.

[Vladimir]

Activate/deactivate add-on is safe – all settings made for add-on are in place.
Settings are deleted only upon plugin deletion via WordPress.
If you will confirm that redirection to WP dashboard is due to URE Pro “Admin menu access”, I will need 2 screenshots in addition:
1) “Users->User Role Editor->Admin menu” made for the tested role;
2) “Tools->Redirection” page with browser URL address visible at the top.

[Author]

Posts