30 libreng laro ng slot online slot machine download.Claim Your Free 999 Pesos Bonus Today

Resolved Chauncey McAskill
(@mcaskill)

1 year, 4 months ago
Tested in NextGEN Gallery v3.37.0.

Under the Roles & Capabilities panel of the Other Options sub-menu page of the NextGEN Gallery menu, it states:

Select the lowest role which should be able to access the following capabilities. NextGEN Gallery supports the standard roles from WordPress.

Unfortunately, the logic that resolves the “lowest role” is heavily flawed. If you choose a custom role, all “higher roles” including administrators will most likely lose all capabilities.

This is the PHP function that sorts the available roles:
```
function ngg_get_sorted_roles() {
	// This function returns all roles, sorted by user level (lowest to highest)
	global $wp_roles;
	$roles = $wp_roles->role_objects;
	$sorted = array();

	if( class_exists('RoleManager') ) {
		foreach( $roles as $role_key => $role_name ) {
			$role = get_role($role_key);
			if( empty($role) ) continue;
			$role_user_level = array_reduce(array_keys($role->capabilities), array('WP_User', 'level_reduction'), 0);
			$sorted[$role_user_level] = $role;
		}
		$sorted = array_values($sorted);
	} else {
		$role_order = array("subscriber", "contributor", "author", "editor", "administrator");
		foreach($role_order as $role_key) {
			$sorted[$role_key] = get_role($role_key);
		}
	}
	return $sorted;
}
```
If a RoleManager class exists, it is not used, and the roles are sorted using WP_User::level_reduction() in a similar fashion to WP_User::update_user_level_from_caps().

I don’t know what RoleManager is supposed to be; it is not a class provided by NextGEN Gallery nor NextGEN Gallery Pro. This function is the only occurrence of this class.

If a RoleManager class does not exist, a fixed ordered list of WordPress’ default roles is used: subscriber, contributor, author, editor, administrator. If the selected role is not one of these predefined roles, the ngg_set_capability() function will remove NGG capabilities from all of the predefined roles.

The ngg_set_capability() function should never apply to administrators. Preferably, any roles with the manage_options capability. Elsewhere, I’ve noticed is_super_admin() used in relation to displaying the Roles & Capabilities page (which relies on the delete_user capability).

To resolve this issue, in the meantime, I have to manually restore the NGG capabilities to administrators because I don’t want to reset NGG itself. Furthermore, I will either create an empty RoleManager class to trigger NGG’s alternative role sorting logic or create a patch file to rewrite the roles.php file that contains this logic.
- This topic was modified 1 year, 4 months ago by Chauncey McAskill.

Viewing 1 replies (of 1 total)

Benjamin
(@benjaminowens)

1 year, 4 months ago

Hi @mcaskill, thanks for bringing this to our attention!

That bit of code is definitely flawed. It looks like it was added in 2009 and hasn’t really changed at all since then. I have added this to my list of things to address; we should hopefully have an update in an upcoming NextGEN release.

Viewing 1 replies (of 1 total)

The topic ‘Custom roles lock-out administators from the NGG menus’ is closed to new replies.

Tags