[4.40.1] 22.12.2017
Core version: 4.39
- Fix: Content View Restrictions add-on: change of “For Users” field in post/page editor “Content View Restrictions” meta box was not saved properly after the 4.40 update.
[4.40] 20.12.2017
Core version: 4.39
- New: Support was added for additional user capabilities introduced by WordPress versin 4.9: deactivate_plugins, install_languages, update_languages. There is a new section “Use additional capabilities” at Settings->User Role Editor->Additional Modules tab. Minimal required WordPress version: 4.9. ‘deactivate_plugin’ capability is mapped to ‘deactivate_plugins’, ‘activate_plugin’ – to ‘activate_plugins’.
- Update: Admin menu access add-on: ‘paged’ argument was added as allowed by default for upload.php URL.
- Fix: Admin menu access add-on: White-listed URL arguments were not taken into account in case URL started not with ‘admin.php’ and contained a ‘page’ argument.
- Fix: Other roles access add-on: edit/delete user with blocked role via direct link (user-edit.php?user_id=ID or users.php?action=delete&user=ID) was not prohibited as expected.
- Fix: Page permissions viewer add-on does not produce PHP notices and warnings in case ‘file’ index does not exist in a data return by debug_backtrace() function.
- Update: Type checking enhanced for values received from a user input and for variable arguments inside database queries.
- Update: Plugin settings management code moved to the separate URE_Settings_Pro class.
- Update: “Settings->User Role Editor->Additional Modules” tab: if “Defaults for content view restrictions” section is visible when you click “Save”, it’s not hidden after the page refresh.
- Core version was updated to 4.39:
- Update: Plugin settings management code moved to the separate URE_Settings class.
- Update: Own code to build usermeta db table name was excluded. A value from $wpdb->usermeta is used instead.
- Update: Type checking enhanced for values received from a user input and for variable arguments inside database queries.
[4.39.1] 28.11.2017
Core version: 4.38
- Fix: Posts/pages edit restrictions add-on: Posts/Pages view links ‘All/Mine/Published’ disappeared for user with administrator role. Some filter functions did not return values if edit restrictions are not applicable to a current user, administrator for example.
[4.39] 27.11.2017
Core version: 4.38
- New: Admin menu access add-on: It’s possible to manage the allowed URL parameters list via “White list of URLs parameters’ link. This link is located at “Settings->User Role Editor->Additional Module” tab, just under “Activate Administrator Menu Access module” checkbox.
- New: Posts/pages edit restrictions add-on: ‘ure_post_edit_access_terms_list’ custom filter allows to set a categories (terms) list (CSV) programmatically.
- Update: Meta boxes access add-on supports WPML meta boxes now.
- Update: Settings->User Role Editor->Additional Modules: section with defaults for Content View Restrictions add-on is shown/hidden by click on “Show Defaults…/Hide Defaults…” link.
- Update: “Force custom post types use its own capabilities” option: custom post types are selected by enhanced criteria. Permissions was not changed earlier for CPT with a ‘page’ capability type.
- Fix: Posts/pages edit restrictions add-on: excluded the cases, when edit restrictions would be applied to a user with superadmin priveleges.
- Core version was updated to 4.38
- Security: XSS vulnerability was fixed at URE’s options page. Bug was discovered and fixed at tab index value numeric type checking. Tab index value is additionally escaped before output also.
- Security: Deprecated code for debug output to the .log file in case of database query error was removed.
- Security: Multiple select jQuery plugin (https://github.com/wenzhixin/multiple-select/) was updated to the latest available version 1.2.1, which fixed XSS vulnerability, existed in earlier versions.
[4.38] 04.11.2017
Core version: 4.37
- New: User permissions viewer add-on was added. It shows at the bottom of every admin backend (wp-admin) page the user capabilities list checked by this page and plugins hooked to it.
- New: bbPress user capabilities are shown at User Role Editor under the separate group “Custom capabilities->bbPress” if bbPress plugin is active.
- Update: Content edit restrictions add-on: removed unneeded current user admin permissions checking, which executed for any WordPress page.
- Update: Admin menu access add-on: redirection code for blocked URL was enhanced.
- Update: Content view restrictions add-on: hooks to WordPress with 999 priority instead of former 100 for better compatibility with other plugins.
- Fix: Content view restrictions add-on: WP_Query query variable ‘post__not_in’ is set in case when ‘post__in’ is not set. Otherwise prohibited posts are excluded from existing ‘post__in’ array.
- Fix: Other roles access add-on: Users with roles blocked for current user are excluded from the users list. Quantity of users of ‘All’ view (tab) at ‘Users’ page is decreased now for the quantity of hidden users.
- Core version was updated to 4.37
- New: New option was added. It’s possible to select permanent quant of capabilities columns at the “Settings->User Role Editor->General” tab.
- Update: User capabilities are shown for custom post types which use the WordPress built-in ‘post’ or ‘page’ capability type. (0/0) was shown earlier instead of the quantity of user capabilities really used.
- Update: Restriction was added for ‘do_not_allow’ user capability (used internally by WordPress). You can not add it manually.
- Fix: URE hides users with ‘administrator’ role by default from any other user. Quantity of users of ‘All’ view (tab) at ‘Users’ page is decreased now for the quantity of hidden admins.
[4.37] 27.09.2017
- Core version: 4.36.1
- New: Required WordPress version was raised up to 4.4. Front-end menu access add-on does not support earlier WordPress versions.
- New: Posts/pages edit restrictions add-on: User with restrictions by categories can use ‘Clone’ link from ‘Duplicate Post’ plugin. The 1st category available to a current user will be assigned automatically to a new created post copy in order to make this post editable to this user.
- Fix: Posts/pages edit restrictions add-on: URE will extend automatically the list of allowed/restricted attachments for media library items, attached to allowed/restricted posts/pages/CPT.
- Update: Content View Restrictions shortcode add-on: Shortcode [user_role_editor] was not processed/rendered by default for a user with ‘administrator’ role,
following a logic “there are not restrictions for administrators”. It’s changed according to multiple user requests. Users with ‘administrator’ role will not see not rendered [user_role_editor]…[/user_role_editor] shortcode text at front-end starting with this update. It does not depend from a ‘ure_render_content_view_shortcode_for_admin’ filter value. All [user_role_editor] shortcodes are rendered for all users, including superadmin.
It’s possible to change this default behavior via custom filter ‘ure_render_content_view_shortcode_for_admin’. It takes a single boolean parameter. Change it to FALSE in order a user with ‘administrator’ role can see a raw content instead of a rendered/restricted one. - Fix: Front end menu access add-on:
– Access filter is applied for front-end only to get rid off accidental deletion of restricted menu items.
– ‘wp_get_nav_menu_items’ filter is used now instead of ‘wp_nav_menu_objects’ one, which fires too late for case when some plugin uses own code to show WordPress navigation menu and do not uses wp_nav_menu() function from WordPress core.
– URE does not override WordPress front-end menu output method as earlier, it uses reqexp to insert custom action to the right place of WordPress front-end menu output. - Fix: Admin menu access add-on:
– User with ‘manage_categories’ capability, but without ‘edit_posts’ one, did not have access to the Posts->Categories, Posts->Tags menu items with active “Admin menu access” add-on.
– ‘Block not selected’ model did not allow search and sort operations with categories and tags. User was redirected to the dashboard automatically. - Fix: Incompatibility issue with Advanced Custom Fields (ACF) plugin was fixed – meta boxes added by ACF were not recognized by “Widgets access” add-on.
- Update: Direct access to the global $current_user variable is excluded from the code. Current user data is initialized via WordPress core functions wp_get_current_user() or get_current_user_id().
- Update: Various unused pieces of code were removed.
- Core version was updated to 4.36.1
- Update: Direct access to the global $current_user variable is excluded from the code. Current user data is initialized via WordPress core functions wp_get_current_user() or get_current_user_id().
- New: It’s possible to set any URE’s option value programmatically: use custom filter ‘ure_get_option_
‘. It takes a single parameter with current/default value for required options. Full list of User Role Editor options is available here: https://www.role-editor.com/documentation/options-list - Update: Users page – Grant Roles. It’s possible to change just “Other roles” for multiple users and leave their primary roles untouched. Just leave a “Primary role” field empty. If you select the “- No role for this site -” option from a “Primary role” drop-down list, plugin will revoke all roles from the selected users.
- Update: Options page screen help text was updated.
- Fix: Additional (other) default roles set at URE’s settings page are not granted to a new user now, if they were deselected at a ‘Add New User’ page.
[4.36.1] 20.07.2017
Core version: 4.35.3
- Core was updated to version 4.35.3:
- Fix: Multiple roles assignment (including default roles) did not work at “Users->Add New” new-user.php (contexts: add-existing-user, add-new-user) page for WordPress multisite.
[4.36] 18.07.2017
Core version: 4.35.2
- New: Content view restrictions shortcode: ‘users’, ‘except_users’ attributes were added to the existing ‘user_role_editor’ shortcode. It’s possible to use digital user IDs or symbolic user logins, e.g. users=”11, 25, billy” or except_users=”18, peggy”.
- Fix: Admin menu access add-on: submenu which is not linked to the main menu are removed now from internal URE Pro data structures to exclude PHP notices, like Undefined offset: 3 in wp-content/plugins/user-role-editor-pro/pro/includes/classes/admin-menu-access.php on line 214
- Update: JavaScript code enhancements.
- Core was updated to version 4.35.2:
- Fix: Multiple default roles (if defined at URE’s settings) are selected automatically at ‘add-new-user’ page.
- Update: Code enhancement for protection of users with ‘administrator’ role from each other. Current user can see his own record and edit own profile.
[4.35.2] 10.07.2017
Core version: 4.35.1
- Fix: Gravity Forms access add-on: view of entries from prohibited forms via direct URL was not blocked.
- Fix: Admin menu access add-on: It was not possible to block menu items when user had access to some submenu item, like “Categories”, but did not have access to a top level menu, like ‘Posts’. ‘Categories’ was shown in spite of it was configured as blocked.
- Core was updated to version 4.35.1:
- Fix: “Grant Roles” button at the bottom of “Users” page did not work as had the same ID as a similar button at the top of this page.
- Update: when bbPress plugin is active, “Grant Roles” does not revoke bbPress role granted to user anymore.
- Fix: The same ID “move_from_no_role” and “move_from_no_role_dialog” were output twice at “Users” page.
[4.35.1] 11.06.2017
Core version: 4.35
- Fix: Posts/pages edit access add-on:
– Child pages ID list selection algorithm was fixed and optimized.
– ‘Mine’ view posts count shows valid quantity of current user posts. - Fix: All add-ons: class ‘ui-button-text’ was added to all ui-dialog (update, cancel) buttons.
- Update:Core was updated to version 4.35:
- Update: Bulk capabilities selection checkbox is not shown for ‘administrator’ role for single site WP, and is shown if current user is superadmin for multisite WP. It was done to exclude sudden revoke of all capabilities from the ‘administrator’ role.
- Update: Full copy of JQuery UI 1.11.4 custom theme CSS file (jquery-ui.css) was included.
- Fix: User->User Role Editor page apparently loads own jQuery UI CSS (instead of use of WordPress default one) in order to exclude the conflicts with themes and plugins which can load own jQuery UI CSS globally not for own pages only.
- Fix: “Change Log” link was replaced with secure https://www.role-editor.com/changelog
[4.35] 04.06.2017
Core version: 4.34
- New: Widgets admin access add-on: It’s possible to block access to sidebars.
- Fix: Admin menu access add-on: “block not selected” model redirected user to the 1st available URL from allowed URLs with different letter case parameters, like admin.php?page=PopupBuilder
- Update: Core version was updated to 4.34:
- New: Multisite ‘upgrade_network’ capability support was added for compatibility with WordPress 4.8.
- New: Multisite ‘delete_sites’ capability support was added.
- Fix: jQuery UI CSS was updated to fix minor view inconsistency at the URE’s Settings page.
- Fix: “Reset” presentation code remainders were removed from the main User Role Editor page.
- Fix: ‘manage_links’ capability was included into a wrong subgroup instead of “Core->General”. It was a mistake in the capabilities group counters for that reason.
[4.34.3] 23.05.2017
Core version: 4.33.1
- Fix: Content view restrictions add-on: PHP notice was removed: Undefined variable: self in /wp-content/plugins/user-role-editor-pro/pro/includes/classes/content-view-restrictions.php on line 795
[4.34.2] 22.05.2017
Core version: 4.33.1
- New: Posts/pages edit restrictions add-on: custom filter ‘ure_edit_posts_access_restriction_type’ was added. It allows to modify on a fly the restriction type for current user: 1 – prohibit, 2 – allow.
- Update: “Use jQuery UI CSS from jQuery CDN” option was removed from the “General” tab of User Role Editor Pro Settings page.
- Fix: Content view restrictions add-on:
– URE_Content_View_Restrictions::current_user_can_view() returned incorrect result for some restrictions settings.;
– URE_Content_View_Restrictions_Posts_List::do_not_restrict_editors() could intercept with Posts/pages edit restrictions add-on by recursive call of view filter when WP_Query selects posts available for editing.
– ure_restrict_content_view_for_authors_and_editors filter was ignored for single page content. - Update: Core version was updated to 4.33.1
- Update: Core version: “Reset” button moved from the “Users->User Role Editor” main page to the “Settings->User Role Editor->Tools” tab.
- Update: Core version: “Users->Grant Roles” button worked only for superadmin or user with ‘ure_manage_options’ capability. User with ‘edit_users’ can use this feature now.
- Update: Core version: Settings tabs and dialog windows style sheets was updated to jQuery UI 1.11.4 default theme.
- New: Core version: Boolean filter ‘ure_bulk_grant_roles’ allows to not show “Users->Grant Roles” button if you don’t need it.
- New: Core version: Boolean filter ‘ure_users_select_primary_role’ can hide ‘Primary role’ selection controls from the user profile edit page.
- New: Core version: Boolean filter ‘ure_users_show_wp_change_role’ can hide “Change Role” bulk action selection control from the Users page. So it’s possible to configure permissions for user who can change just other roles of a user without changing his primary role.
- Fix: Buttons “Users->Without Roles”, “Users->Grant Roles” are shown only to the users with ‘edit_users’ capability.
- Fix: Transients caching was removed from URE_Lib::_get_post_types() function. It cached post types list too early in some cases.
[4.34.1] 24.04.2017
Core version: 4.32.3
- Fix: Front end menu access add-on: a lot of pages became restricted for front-end menu due to logic mistake in an access checking code. As a result related menu items were hidden from menu without a visible reason.
[4.34] 21.04.2017
Core version: 4.32.3
- New: Front end menu access add-on:
– “Not logged-in and logged-in users with selected roles” option was added.
– menu items with links to the posts/pages prohibited for view for current user by “Content view restrictions” add-on with 404 HTTP error action are excluded from menu automatically. - New: Content view restrictions add-on:
– Shortcode [user_role_editor] roles / except_roles attributes support ‘&&’ role ID separator. For example roles=”subscriber && customer” means that user should have both roles simultaneously, comparing to the roles=”subscriber, customer” which works for subscribers or customers or (subscribers and customers).
– public static method URE_Content_View_Restrictions::current_user_can_view($post_id) was added. It returns boolean value. - Update: Content view restrictions add-on:
– roles list opened at the post level is sorted by alphabet.
– Singleton pattern was applied to the URE_Content_View_Restrictions_Posts_List class. - Update: Admin menu access add-on: “block not selected model”: support was added for URL parameters added to users.php by “Ultimate Member” plugin.
- Fix: Content view restrictions add-on:
– default setting for access error action “return HTTP 404 error” was not always applied to the new added post.
– categories/tags/terms group selection checkboxes work separately now for every term group – categories, tags, etc. - Fix: bbPress role support was broken, even administrator did not see bbPress menu and user roles in some cases while User Role Editor Pro was active.
- Fix: Admin menu access add-on: “block not selected model” did not allow to delete users and use other core WordPress functionality at “users.php’ page redirecting user to the 1st available admin menu item.
[4.33] 03.04.2017
Core version: 4.32.3
- New: Content view restrictions add-on: authors list and own data only options were added for roles.
- Fix: Content view restrictions add-on:
– filter by categories may work incorrectly due to mistake in the SQL query;
– content-view-restrictions-controller.php used not existed function URE_Lib_Pro::filter_int_array(). - Update: Admin menu access add-on: parameters added by ‘Enable media replace’ plugin were registered as allowed for upload.php link. Earlier ‘Replace’ link was blocked with a redirection to the 1st available menu item.
- Fix: Admin menu access add-on: “Block not selected” model:
– search a user at “Users” page was finished by the automatic redirection to the 1st available menu item (Dashboard, etc.). The list of allowed parameters for ‘Users’ page was extended for the search and sort parameters used at this page by WordPress core.
– selection of ‘Media Library->Add new’ menu item was resulted by removing of ‘Upload Files’ tab at a dialog opened by “Add Media” button from the post/page editor screen. - Fix: Bulk grant to users multiple roles JavaScript code is loaded now for users.php page only, not globally.
- Fix: nonexistent html_esc__() function was called instead of valid esc_html__() one at pro/includes/classes/posts-edit-access-bulk-action.php file.
- Fix: “Users->Grant Roles” button did not work with switched off option “Count Users without role” at “Settings->User Role Editor->Additional Modules” tab. “JQuery UI” library was not loaded.
- Fix: Boolean false was sent to WordPress core wp_enqueue_script() function as the 2nd parameter instead of an empty string. We should respect the type of parameter which code author supposed to use initially.
- Update: minimal PHP version was raised to 5.3.
[4.32.3] 10.03.2017
Core version: 4.32.1
- New: Button “Grant Roles” allows to “Assign multiple roles to the selected users” directly from the “Users” page.
- Update: Singleton template was applied to the main class User Role Editor Pro. While GLOBALS[‘user-role-editor’] reference to the instance of User_Role_Editor_Pro class is still available for the compatibility reasons, call to User_Role_Editor_Pro::get_instance() is the best way now to get a reference to the instance of User_Role_Editor_Pro class.
- Fix: Content view restrictions add-on: PHP notice “Undefined index: ure_post_access_error_action in content-view-restrictions-controller.php” was removed.
- Fix: ‘unfiltered_html’ capability was added to the ‘General’ capabilities group.
[4.32.2] 10.02.2017
Core version: 4.31.1
- Fix: Content view restrictions add-on: restrictions were applied too early, some theme or plugin could replace ‘access error’ message from URE with original protected content.
- Fix: Posts edit restrictions add-on: User with restrictions saws a full list of Media Library items in case he did not have own attachments in the list of allowed posts, minor code enhancements.
- Fix: Fix: Admin menu access add-on: Code responsible for a legacy data format conversion was excluded.
- Fix: It’s possible to translate license key states: “Active, Expired, Invalid”.
[4.32.1] 07.01.2017
Core version: 4.31.1
- Fix: Plugins access add-on: User with ‘activate_plugins’ capability but empty allowed plugins list did not see any plugins. When a restriction is not set, user should see a full plugins list.
- Update: Front-end menu access add-on: It works now according to the given permissions, if current user is a site admin too.
- Update: Posts edit access add-on: It’s possible to modify posts/pages, custom post type ID list via filter ‘
ure_edit_posts_access_id_list
‘. ID list is a comma separated list of integers.
[4.32] 06.01.2017
Core version: 4.31.1
- New: Plugins access add-on:
– It’s possible to restrict access to the list of plugins available for activation/deactivation for the role.
– It’s possible to change selection model: allow access to the selected or not selected plugins. - Fix: bbPress roles changes were not saved.
- Fix: Admin menu access add-on: List of allowed URL parameters checked under “blocked not selected” model was extended for parameters used by Gravity Forms plugin.
- Fix: WP transients get/set were removed from URE_Own_Capabilities class. It leaded to the MySQL deadlock in some cases.
- Update: Base_Lib::get_request_var() sanitizes user input by PHP’s filter_var() in addition to WordPress core’s esc_attr().