Change WordPress user roles and capabilities › Forums › Bug Reports › "Activate Administrator Menu Access module" bug
Tagged: Activate Administrator Menu Access module Block menu items Not Selected switch media library menus
- This topic has 37 replies, 2 voices, and was last updated 6 years, 11 months ago by Vladimir.
-
AuthorPosts
-
28/10/2017 at 15:54 #4341albiursParticipant
Hi Vladimir,
It looks like we have the same (or a similar) bug again. This time with the plugin Real Media Library (https://codecanyon.net/item/wordpress-real-media-library-media-categories-folders/13155134). If I chose a RML-folder (e.g. https://fclandquart.ch/wp-admin/upload.php?rml_folder=1), then I’m forwarded to the dashboard instead of accessing the requested folder, which is exactly the same issue as I had in the previous posts above. If I deactivate the user role editor pro, everything works correctly.
Thanks for fixing it.
Best,
Urs30/10/2017 at 04:15 #4343VladimirKeymasterHi Urs,
It’s not a bug, it’s a feature for custom URL arguments added by plugins. “Block not selected” is too restrictive. It blocks any URL which belongs to the admin menu but differs from the selected/allowed by the list of arguments. When you discover this for WP built-in features – it’s a bug. I include a fix into URE Pro directly. If URL argument comes from some plugin: for popular plugin I can add support for such plugin directly to URE Pro. For others – there is a special filter in URE Pro, which allows to change the list of allowed arguments for URL. Take a code below and insert it to your active theme functions.php file or set it as a Must Use plugin:
add_filter('ure_admin_menu_access_allowed_args', 'ure_allow_arg_for_upload', 10, 1); function ure_allow_arg_for_upload($args) { $args['upload.php'][''][] = 'rml_folder'; return $args; }
This should fix your problem with redirection from this URL for restricted role.
30/10/2017 at 13:35 #4346albiursParticipantHi Vladimir,
Thanks so much for your reply! I think now I finally got what the issue actually is about. Thanks for the code, I added a mu-plugin which works fine.
So, if URE Pro blocks legitimate url arguments, then of course other customers will have the same issue too, as the number of url arguments is endless and this of course is an issue. The mu-plugin works, but this is rather a workaround then a proper solution. Therefore, I’d suggest to complement URE Pro with the option of a “url arguments whitelist”. Maybe you already know Bullet Proof Security Pro. This plugin does a similar thing. It blocks all plugin scripts by default and then provides a whitelist for legitimate scripts. All the plugin scripts get added to a textbox separated by commas – that’s it. I could imagine something similar for URE Pro. What do you think about this idea?
Best wishes,
Urs30/10/2017 at 14:31 #4347VladimirKeymasterYes, you suggested exactly the same solution, about which I think myself. Thank you.
Yes, I plan to write a module to manage a white list of arguments for the admin menu links.06/11/2017 at 16:39 #4373albiursParticipantHi Vladimir,
Now, as I have activated the LayerSlider Plugin where I get the same issue within the editor using the following url:
/wp-admin/admin.php?page=layerslider&action=edit&id=1What does the code above has to look like if the url is much longer like this?
07/11/2017 at 03:49 #4375VladimirKeymasterHi Urs,
Code for LayerSlider URL arguments will be:
add_filter('ure_admin_menu_access_allowed_args', 'ure_allow_arg_for_admin', 10, 1); function ure_allow_arg_for_admin($args) { $args['admin.php']['layerslider'][] = 'id'; $args['admin.php']['layerslider'][] = 'action'; $args['admin.php']['layerslider'][] = '_wpnonce'; return $args; }
07/11/2017 at 16:44 #4381albiursParticipantHi Vladimir,
Thank you very much! Is the line with _wpnonce actually needed? As the url does not contain more arguments the code also works without this line…
Thanks
07/11/2017 at 16:58 #4382VladimirKeymasterI added ‘_wpnonce’ just in case… There is other link (Duplicate) at the page which contains this argument.
-
AuthorPosts
- You must be logged in to reply to this topic.