User Capability Choice

  • Hi,

    One of the users of your plugin contacted me recently about access to your plugin for user without administrator privileges. You made a step forward replacing role ID in plugin menu definition to the ‘edit_plugins’ user capability.
    I doubt if someone will grant ‘edit_plugins’ capability to someone except super admin. Take into account that WordPress codex security recommendations page includes a requirement to disable file editing via

    
## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

    It’s a very good practice for the live site: as per security, as to exclude sudden site break by sudden mistake in a code. I’m sure that the large part of WordPress site owners follows this requirement.

    With constant defined as above ‘edit_plugins’ capability will be replaced with ‘do_not_allow’ by map_meta_cap() function at wp-includes/capabilities.php file, line #397:

    
	case 'edit_files':
	case 'edit_plugins':
	case 'edit_themes':
		// Disallow the file editors.
		if ( defined( 'DISALLOW_FILE_EDIT' ) && DISALLOW_FILE_EDIT )
			$caps[] = 'do_not_allow';

    So a lot of site owners even with ‘administrator’ role and ‘edit_plugins’ capability will not see your plugin menu as access to it will be prohibited.

    I can use ‘manage_options’ capability instead if you wish to leave so strong level of protection.

    But is there a reason for this very strict restriction for access to your plugin functionality?

    A lot of site owners with multiple users wish to allow their editors and even authors to work with slideshow plugins directly. So ‘edit_posts’ user capability is quite enough in this case. Moreover you defines custom post type with ‘post’ capability type and it really users posts capabilities set for its protection.
    If some parts of your plugin should be available to admin only, you can move them to the separate page/menu item, like ‘SlideShow CK->Settings’ protected by ‘manage_options’ capability.

    Some developers leave the final choice of user capability for users using custom filter. So you may change create_admin_menu() function this way:

    
function create_admin_menu() {
        $user_capability = apply_filters('slideshow_ck_capability', 'manage_options');
        $this->pagehook = $page = add_menu_page('Slideshow CK', 'Slideshow CK', $user_capability, 'slideshowck_general', array($this, 'render_general'), SLIDESHOWCK_MEDIA_URL . '/images/admin_menu.png');
        add_submenu_page('slideshowck_general', __('Slideshow CK'), __('All Slideshows', 'slideshow-ck'), $user_capability, 'slideshowck_general', array($this, 'render_general'));
        $editpage = add_submenu_page('slideshowck_general', __('Edit'), __('Add New', 'slideshow-ck'), $user_capability, 'slideshowck_edit', array($this, 'render_edit'));
        // for a nice menu icon
        add_action('admin_head', array($this, 'set_admin_menu_image_position'), 20);
    }

    Then site owner can replace default user capability for his own needs adding filter:

    
add_filter('slideshow_ck_capability', 'set_slideshow_ck_capability', 10, 1);

function set_slideshow_ck_capability($cap) {
    $cap = 'edit_posts';
    
    return $cap;
}
Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author CeiKay

    (@ced1870)

    Hi
    thank you very much for the feedback. I have updated my plugin to follow your recommandation
    Let me know if all is ok now
    CEd

    Thread Starter Vladimir Garagulya

    (@shinephp)

    Hi,

    Excellent. It works as expected. Keep a good work.

    Plugin Author CeiKay

    (@ced1870)

    thank you !

    Hello,

    I am using woocommerce and slideshowck and I am trying to give permissions to edit and or add slides to a “Shop Manager” user. Fortunatelly I found this thread and tried to follow it carefully but didn’t have success, Could you guys help me how to do it?

    I am using “Advanced Access Manager” to edit the capabilities per user role and also added the snippet Vladimir pointed into my functions.php file but when checking the backend, I can see the slideshowck menu but when I click on it, then the page says “You are not allowed to edit !”.

    Thanks.

    Plugin Author CeiKay

    (@ced1870)

    Hi
    which version of the plugin do you have ?
    the user capability shall now be fixed
    CEd

    Hi,

    Thanks for answering.

    – I have wordpress 4.9.2
    – SlideshowCK 1.1.4

    Plugin Author CeiKay

    (@ced1870)

    please try the 1.1.5 available and tell me if it works

    I updated the plugin and now when I click on the slideshowck menu in the backend I can see the list of the slideshows created, but if I want to edit one, then it still display the message “You do not have sufficient permissions to access this page”. Not sure if that’s because I created the slideshows with a different user or not.

    PS: updated wordpress to 4.9.4

    • This reply was modified 6 years, 9 months ago by panconjugo.
    Plugin Author CeiKay

    (@ced1870)

    try to create a new slideshow and tell me if it works

    Ok,

    I tried to create a new slideshow with the user role “shop manager” but couldn’t do it, the permission message showed up (can only see the list of slideshows created).

    I can only create new slides as administrator, but then trying to edit that new slideshow as a shop manager user, I can still see the permission message.

    Plugin Author CeiKay

    (@ced1870)

    Hi
    by my side I got this
    $user_capability = apply_filters('slideshow_ck_capability', 'manage_options');

    as said by Vladimir, you can edit this with the filter to add your own capabilities :

    add_filter('slideshow_ck_capability', 'set_slideshow_ck_capability', 10, 1);

function set_slideshow_ck_capability($cap) {
    $cap = 'edit_posts';
    
    return $cap;
}
Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘User Capability Choice’ is closed to new replies.