Bug : Role change in profile form by administrator

@champsupertramp

@nikitasinelnikov

Could one of you revisit that problem. Thanks.

Hi @ldeschenes

The hook will be added in 2.6.0 please use it with caution on your own.
It’s ‘um_extend_editable_roles’.

Best Regards!

@nsinelnikov

Thanks for the new hook.

I cannot find it at https://docs.ultimatemember.com/article/1324-hooks-list

Could you please give me an example of how to use it.

@ldeschenes

/**
 * UM hook
 *
 * @type filter
 * @title um_extend_editable_roles
 * @description Extend Editable User Roles
 * @input_vars
 * [{"var":"$editable_roles","type":"array","desc":"Editable Roles Keys"}]
 * @change_log
 * ["Since: 2.6.0"]
 * @usage add_filter( 'um_extend_editable_roles', 'function_name', 10, 1 );
 * @example
 * <?php
 * add_filter( 'um_extend_editable_roles', 'my_um_extend_editable_roles', 10, 1 );
 * function my_um_extend_editable_roles( $editable_roles ) {
 *     // your code here
 *     return $editable_roles;
 * }
 * ?>
 */

@missveronicatv

Thanks for the code snippet.

I will test it and report back.

@missveronicatv

Since I am still junior in PHP, I want to make sure I do understand before testing.

Does “your code here” should be replaced by :

$editable_roles = array(“um_coproprietaire”,”um_locataire”,”um_resident”);

Would the following code be better:

$editable_roles = [‘um_coproprietaire’, ‘um_locataire’, ‘um_resident’];

Thanks.

@ldeschenes

Yes, if these roles are those required both examples are OK but the first one most used.

$editable_roles = array( 'um_coproprietaire', 'um_locataire', 'um_resident' );

If you want to add your roles to the default editable UM Roles:

$editable_roles = array_merge( $editable_roles, array( 'um_coproprietaire', 'um_locataire', 'um_resident' ));

https://www.php.net/manual/en/function.array-merge.php

@missveronicatv

Thanks for confirming that quickly! I do understand both use case.

But what are the “default editable UM Roles” ? How are they set ? Where could I see what they are ?

@ldeschenes

Enable PHP debug logging, read this guide: “How to enable debug logging”

https://docs.ultimatemember.com/article/1751-enable-debug-logging

Add this code line to your function, which will write to /wp-content/debug.log your editable roles ie the content of the parameter $editable_roles when calling your function.

error_log( 'editable roles: ' . implode( ', ', $editable_roles ));

https://www.php.net/manual/en/function.error-log.php

• This reply was modified 1 year, 12 months ago by missveronica.

@missveronicatv @nsinelnikov

I did apply the code snippet but this did not resolved my problem.

Just to be clear, let me explain in details my problem :

1. I use a profile form that uses the pre-defined field ‘Role (dropdown)’
2. The field ‘Can user edit this field?’ is NOT checked as I don’t want users to edit their own roles
3. The role field is visible and not editable when the user is editing their own profile (as you would expect)
4. Editing the users profile page as Admin, the role field is editable. (as you would expect)
5. When changing the users role and saving the profile, the role reverts to its original value. (not helpful)

If I check the ‘Can user edit this field?’ checkbox:
The result is that both user and admin can change the role. (but this is not the behaviour that I want).

BTW, the describe behavior is the same when using or not using the hook.

@ldeschenes

I did apply the code snippet but this did not resolved my problem.

Did your code snippet get executed ie the error_log function did write the Role IDs to /wp-content/debug.log?

@missveronicatv

I did not enable PHP debug logging… but as I said “the describe behavior is the same when using or?not using the hook (disabling the snippet)“

It looks like the secury pack that was done at the time to resolve this issue (https://www.wordfence.com/blog/2020/11/critical-privilege-escalation-vulnerabilities-affect-100k-sites-using-ultimate-member-plugin/) affected diiferent bahaviors. The hook might have resolved some but not the one I described in my last message. BTW that was working prior to the security patch.

@missveronicatv

(My last post has been held for moderation… I believe because I included an outside URL. So here is the text without the url.)

I did not enable PHP debug logging… but as I said “the describe behavior is the same when using or not using the hook (disabling the snippet)“

It looks like the secury pack that was done at the time to resolve this issue (removed url) affected diiferent bahaviors. The hook might have resolved some but not the one I described in my last message. BTW that was working prior to the security patch.

You can see the removed WordFence URL in the first post of this thread.

• This reply was modified 1 year, 12 months ago by ldeschenes.

@ldeschenes

I suspect that your code snippet never executes and that’s why I asked about the error_log.

@missveronicatv @nsinelnikov

Just to make sure I enabled the log. Here is the result :

[03-Apr-2023 11:59:32 UTC] editable roles: um_coproprietaire, um_locataire, um_resident
[03-Apr-2023 11:59:40 UTC] editable roles: um_coproprietaire, um_locataire, um_resident

The problem is still present. The hook might have resolved some problems but not this one :

1. I use a profile form that uses the pre-defined field ‘Role (dropdown)’
2. The field ‘Can user edit this field?’ is NOT checked as I don’t want users to edit their own roles
3. The role field is visible and not editable when the user is editing their own profile (as you would expect)
4. Editing the users profile page as Admin, the role field is editable. (as you would expect)
5. When changing the users role and saving the profile, the role reverts to its original value. (not helpful)

If I check the ‘Can user edit this field?’ checkbox:
The result is that both user and admin can change the role. (but this is not the behaviour that I want).

BTW that was working prior to the security patch.