- This topic has 5 replies, 2 voices, and was last updated 5 years, 8 months ago by
.
-
Posts
-
I was defining a new role (via code) and one of my co-workers was trying to validate the settings in URE and kept telling me that capabilities I had explicitly defined as false for that role had the boxes checked in the URE UI.
Versions bug observed in: 4.47.1, 4.47.2 (LATEST)
Pro key entered.
WordPress: 4.9.7, 4.9.8 (LATEST)What I discovered is that there’s a defect in the JavaScript (/js/ure.js:532), after the async request for
get_role_capscomes back the JavaScript only checks for the presence of the property name for a capability in order to check the box next to it, but does NOT validate that the value assigned to that property is true (or truthy). For example in one of my test sites I defined one capability as true and another as false and I can see they are both checked.Note: This can only be observed when selecting a role via JS; if the affected role is the default role that gets selected on page load, the boxes are checked correctly (via PHP)
Code used to define the new role:
<?php add_action( 'admin_init', 'sample_add_role_test' ); function sample_add_role_test() { $role_slug = 'sample_role'; $display_name = 'Sample Role'; $capabilities = array( 'publish_pages' => true, 'activate_plugins' => false ); $role = add_role( $role_slug, $display_name, $capabilities ); } ?>Response from
get_role_caps:
{"result":"success","message":"Role capabilities retrieved successfully","role_id":"sample_role","role_name":"Sample Role","caps":{"publish_pages":true,"activate_plugins":false},"options":[]}Result:
Upon switching to this role in /wp-admin/users.php?page=users-user-role-editor-pro.php and observing the JS update both boxes for publish_pages and activate_plugins are selected.This is causing issues for us that will require revisiting all of our role settings after this fix to make sure that upon saving after selecting a role we haven’t inadvertently assigned permissions to users who were supposed to NOT have that permission by design.
The affected JavaScript looks like this:
jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes jQuery(this).prop('checked', response.caps.hasOwnProperty(this.id)); });But should be more like:
jQuery('.ure-cap-cb').each(function () { // go through all capabilities checkboxes if (response.caps.hasOwnProperty(this.id) && response.caps[this.id]) { jQuery(this).prop('checked', true); } else { jQuery(this).prop('checked', false); } });This correctly checks boxes with
truevalues and unchecks boxes withfalsevalues.Thank you for your prompt response Vladimir! The new version displays capabilities as expected on my test environment.
- You must be logged in to reply to this topic.
