Change WordPress user roles and capabilities Forums Bug Reports Incorrect Capabilities Checked

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
  • #5084

    I was defining a new role (via code) and one of my co-workers was trying to validate the settings in URE and kept telling me that capabilities I had explicitly defined as false for that role had the boxes checked in the URE UI.

    Versions bug observed in: 4.47.1, 4.47.2 (LATEST)
    Pro key entered.
    WordPress: 4.9.7, 4.9.8 (LATEST)

    What I discovered is that there’s a defect in the JavaScript (/js/ure.js:532), after the async request for get_role_caps comes back the JavaScript only checks for the presence of the property name for a capability in order to check the box next to it, but does NOT validate that the value assigned to that property is true (or truthy). For example in one of my test sites I defined one capability as true and another as false and I can see they are both checked.

    Note: This can only be observed when selecting a role via JS; if the affected role is the default role that gets selected on page load, the boxes are checked correctly (via PHP)

    Code used to define the new role:

    add_action( 'admin_init', 'sample_add_role_test' );
    function sample_add_role_test() {
    	$role_slug    = 'sample_role';
    	$display_name = 'Sample Role';
    	$capabilities = array(
    		'publish_pages' => true,
    		'activate_plugins' => false
    	$role = add_role( $role_slug, $display_name, $capabilities );

    Response from get_role_caps:
    {"result":"success","message":"Role capabilities retrieved successfully","role_id":"sample_role","role_name":"Sample Role","caps":{"publish_pages":true,"activate_plugins":false},"options":[]}

    Upon switching to this role in /wp-admin/users.php?page=users-user-role-editor-pro.php and observing the JS update both boxes for publish_pages and activate_plugins are selected.

    This is causing issues for us that will require revisiting all of our role settings after this fix to make sure that upon saving after selecting a role we haven’t inadvertently assigned permissions to users who were supposed to NOT have that permission by design.


    The affected JavaScript looks like this:

        jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes
            jQuery(this).prop('checked', response.caps.hasOwnProperty(;

    But should be more like:

        jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes
    		if (response.caps.hasOwnProperty( && response.caps[]) {
    			jQuery(this).prop('checked', true);
    		} else {
    			jQuery(this).prop('checked', false);

    This correctly checks boxes with true values and unchecks boxes with false values.


    Thanks for your help in isolating this bug. I will publish the fix.


    The fix was included into version 4.47.3, which I published today.


    Thank you for your prompt response Vladimir! The new version displays capabilities as expected on my test environment.


    Excellent! Thanks for the help with testing.

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.