Change WordPress user roles and capabilities Forums Bug Reports "Activate Administrator Menu Access module" bug

Viewing 8 posts - 31 through 38 (of 38 total)
  • Author
    Posts
  • #4341
    albiurs
    Participant

    Hi Vladimir,

    It looks like we have the same (or a similar) bug again. This time with the plugin Real Media Library (https://codecanyon.net/item/wordpress-real-media-library-media-categories-folders/13155134). If I chose a RML-folder (e.g. https://fclandquart.ch/wp-admin/upload.php?rml_folder=1), then I’m forwarded to the dashboard instead of accessing the requested folder, which is exactly the same issue as I had in the previous posts above. If I deactivate the user role editor pro, everything works correctly.

    Thanks for fixing it.

    Best,
    Urs

    #4343
    Vladimir
    Keymaster

    Hi Urs,

    It’s not a bug, it’s a feature for custom URL arguments added by plugins. “Block not selected” is too restrictive. It blocks any URL which belongs to the admin menu but differs from the selected/allowed by the list of arguments. When you discover this for WP built-in features – it’s a bug. I include a fix into URE Pro directly. If URL argument comes from some plugin: for popular plugin I can add support for such plugin directly to URE Pro. For others – there is a special filter in URE Pro, which allows to change the list of allowed arguments for URL. Take a code below and insert it to your active theme functions.php file or set it as a Must Use plugin:

    
    add_filter('ure_admin_menu_access_allowed_args', 'ure_allow_arg_for_upload', 10, 1);
    
    function ure_allow_arg_for_upload($args) {
    
        $args['upload.php'][''][] = 'rml_folder';
        
        return $args;
    
    }
    

    This should fix your problem with redirection from this URL for restricted role.

    #4346
    albiurs
    Participant

    Hi Vladimir,

    Thanks so much for your reply! I think now I finally got what the issue actually is about. Thanks for the code, I added a mu-plugin which works fine.

    So, if URE Pro blocks legitimate url arguments, then of course other customers will have the same issue too, as the number of url arguments is endless and this of course is an issue. The mu-plugin works, but this is rather a workaround then a proper solution. Therefore, I’d suggest to complement URE Pro with the option of a “url arguments whitelist”. Maybe you already know Bullet Proof Security Pro. This plugin does a similar thing. It blocks all plugin scripts by default and then provides a whitelist for legitimate scripts. All the plugin scripts get added to a textbox separated by commas – that’s it. I could imagine something similar for URE Pro. What do you think about this idea?

    Best wishes,
    Urs

    #4347
    Vladimir
    Keymaster

    Yes, you suggested exactly the same solution, about which I think myself. Thank you.
    Yes, I plan to write a module to manage a white list of arguments for the admin menu links.

    #4373
    albiurs
    Participant

    Hi Vladimir,

    Now, as I have activated the LayerSlider Plugin where I get the same issue within the editor using the following url:
    /wp-admin/admin.php?page=layerslider&action=edit&id=1

    What does the code above has to look like if the url is much longer like this?

    #4375
    Vladimir
    Keymaster

    Hi Urs,

    Code for LayerSlider URL arguments will be:

    
    add_filter('ure_admin_menu_access_allowed_args', 'ure_allow_arg_for_admin', 10, 1);
    
    function ure_allow_arg_for_admin($args) {
    
        $args['admin.php']['layerslider'][] = 'id';
        $args['admin.php']['layerslider'][] = 'action';
        $args['admin.php']['layerslider'][] = '_wpnonce';
        
        return $args;
    
    }
    
    #4381
    albiurs
    Participant

    Hi Vladimir,

    Thank you very much! Is the line with _wpnonce actually needed? As the url does not contain more arguments the code also works without this line…

    Thanks

    #4382
    Vladimir
    Keymaster

    I added ‘_wpnonce’ just in case… There is other link (Duplicate) at the page which contains this argument.

Viewing 8 posts - 31 through 38 (of 38 total)
  • You must be logged in to reply to this topic.