- This topic has 3 replies, 2 voices, and was last updated 6 years, 9 months ago by
.
-
Posts
-
We have a page set up as follows:
View Access: Allow View
For Users: Selected User Roles
bbp_keymaster (This is “Keymaster” role)
Action: Show Access Error MessageFor some reason, we have a user that can still access this page, even though he does not have the bbp_keymaster role.
We noticed that they can access the page when they have the “GA Site Administrator” role, which is a collection of many capabilities that seem distinct from the Keymaster roles as far as I can tell. When we remove the “GA Site Administrator” role, they get the access error message.
Are there any capabilities that allow the user to access pages even though they do not have the role specified in the page setup? Seems like apparently there are, but I’m trying to figure out which ones, or why?
Thanks.
I meant: “GA Site Administrator” role, which is a collection of many capabilities that seem distinct from the Keymaster capabilities as far as I can tell.
Basically GA Site Administrator is unrelated to Keymaster, yet it gives users ability to see the page. This ability to see pages by those that are not in the specified group to view the page could be a security risk.
Hi,
Can ‘GA Site Administrator’ role edit this page? URE does not apply content view restrictions to a page in case current user can edit this page. This is a default behavior.
In case you need to change this, you can set a custom hook ‘ure_restrict_content_view_for_authors_and_editors‘.
- You must be logged in to reply to this topic.
