[Vladimir]

I “Network activated” provided plugin. I added a menu to the network admin and it shows this information at its page:

Plugin Version: 4.2.7 [Free] (One User, One account per Network)
You are using “Single User” version of the plugin. This version could be used only on a single site by a single user.

So this version of “Social networks” plugin could not be managed (change settings) by “all authors of any sites”, but just one user on a single site. That is social network accounts may belong to a single user only.

Menu of this plugin at selected subsite is protected this way:
SNAP|AutoPoster – haveown_snap_accss
Accounts – haveown_snap_accss
Quick Post – haveown_snap_accss
Query/Timeline – haveown_snap_accss
Reposter – manage_options
Settings – manage_options
Log/History – haveown_snap_accss
Help/Support – manage_options

“Auto Poster” plugin has its own “User privileges/security” section inside of the “SNAP/Auto Poster”->”Settings” page. It can itself add own custom capabilities ‘see_snap_box’ and ‘make_snap_posts’ to the selected roles.

[Vladimir]

If you wish to proceed with Pro version start from the detailed description what do you need to achieve, to what plugin (download link) do you need provide access for editor. If that’s a premium plugin I need access to its copy in order to check what real permissions it requires. You can share plugin copy with support [at-sign] role-editor.com via DropBox or similar service.

In general user of Pro version can check what permissions required by some plugin for access to its menu items using “Admin menu access” tool. Open it for ‘administrator’ role and look what capability protects what menu item. Then grant that capability to the other role.

[Vladimir]

When you open Users->User Role Editor under the network admin it is opened for the main site. All roles and other data is related to the main site there.
You will never see “Tools->Delete site” menu item for the main site, as it’s not possible to delete main site. This menu item is for the subsites only. Thus you can not block it via main site admin menu.

Interesting, that if you open URE’s “Admin menu” dialog from the main site, not from the network admin, you will see “Mailgun” menus under the “Settings” menu. It may be related to a way, how plugin registers its menu, I suppose.

You need to know that when you modify role or available add-ons permissions via network admin, you make this for the main site only. You need to click “Update Network” button to replicate your settings from the main site to all other subsites. Unfortunately, this will not work for the “Tools->Delete site” menu item. It requires manual blocking for every subsite.

From other side, any settings you manually made for subsites are untouched until you don’t click “Update Network” from the network admin.

[Vladimir]

Hi,

Let me insist that Clienside plugin makes changes not compatible with WordPress default policy, and thus URE is not compatible with it.
URE shows user capability taken from the WordPress global $menu and $submenu structures. All them are shown as ‘read’.
Thus full submenus are available to the ‘editor’ role while it does not has full list of existing capabilities.

Btw, ‘Delete site’ menu item was not selected for blocking. May be it was a reason while this menu item was still visible for the user with ‘editor’ role.

But the “Tools” submenu contains just 2 items which available to the ‘editor’ role according to its real capabilities. The same is correct for the other submenu.

More, “Mailgun” and “Mailgun Lists” becomes visible under the “Settings” menu. They were unselected when I made screenshot. They disappeared from the “editor” point of view after I blocked them here.

The only unresolved issue is “Page builder” welcome page menu item.
A problem is that it does not exists in admin menu while a user or role has real access to at least one of the “Page builder” menu items. This menu items is created by js-composer plugin for user who does not have access to its menu at all. So we can not block it via URE’s admin menu.

It’s possible to hide it via custom code only.

My final conclusion, ‘Clientside’ is really involved to the reported problems.

I will not spent time for compatibility of URE with Clientside. The plugin should respect permissions of WordPress global structures, such as admin menu.

So if you will decide to stay with ‘Clientside’, I’m ready to refund your payment for User Role Editor.

[Vladimir]

Thank you for this information. I will continue tomorrow. It’s too late today here (GMT+7).

[Vladimir]

“Tools->Delete Site” menu item is protected by meta capability ‘delete_site’, which is mapped finally to the real ‘manage_options’ capability. Your modified ‘editor’ role has ‘manage_options’ capability. This explains 1) why user with editor role has access to the ‘Tools->Delete Site” menu item.

I made quick test and “Admin menu access” hides/blocks this menu item successfully for the WordPress built-in admin theme. I suppose that User Role Editor is not compatible with “clientside” plugin. Can you deactivate this plugin temporally and look if “Delete Site” menu item will be hidden for a user with ‘editor” role?

I will try to answer on VC and mailgun part of your question tomorrow.

[Vladimir]

Hi Danny,

“Show theme/plugin notices to admin only” option at URE’s option page uses WordPress built-in admin theme CSS classes to hide HTML element simply changing its ‘display’ property to ‘none’.

I think that ‘clientside’ plugin redefines notices part HTML/CSS structure. So this URE’s simple hack stopped working.

You may try more advanced technique to force WordPress do not output such notices at all. May be it will work this way for the modified admin theme.

It’s possible to use role additional options for that. Additional option code to hide admin notices is described here.

[Vladimir]

This code switches off WooCommerce 3.4.6 roles changing code for WordPress multisite superadmin:

add_action( 'admin_init', 'fix_for_wc_436');

function fix_for_wc_436() {

    if ( ! is_multisite() or ! is_super_admin() ) {
        return;
    }
    
    remove_filter( 'editable_roles', 'wc_modify_editable_roles' );
    remove_filter( 'map_meta_cap', 'wc_modify_map_meta_cap', 10 );

}

[Vladimir]

Send credentials to support [at-sign] role-editor.com

[Vladimir]

I’m ready to analyse the reported issues with admin menu. The most quick way is to setup a copy of your site at my development environment. Is it possible to get files (without wp-content/uploads) and database copy of your site (may be stage one, without wp_users table) for this purpose?

[Vladimir]

Hi,
About a problem with roles list – it’s a WooCommerce bug introduced at version 3.4.6.
More information:

Update 4.48 – User role only customer on Multisites

https://wordpress.org/support/topic/woocommerce-blocks-super-admin-permissions/

[Vladimir]

There is one more function at the same file, which may prevent superadmin from editing users without ‘Customer’ role:

function wc_modify_map_meta_cap( $caps, $cap, $user_id, $args ) {
	switch ( $cap ) {
		case 'edit_user':
		case 'remove_user':
		case 'promote_user':
		case 'delete_user':
			if ( ! isset( $args[0] ) || $args[0] === $user_id ) {
				break;
			} else {
				if ( user_can( $args[0], 'administrator' ) && ! current_user_can( 'administrator' ) ) {
					$caps[] = 'do_not_allow';
				}

				// Shop managers can only edit customer info.
				if ( current_user_can( 'shop_manager' ) ) {
					$userdata = get_userdata( $args[0] );
					$shop_manager_editable_roles = apply_filters( 'woocommerce_shop_manager_editable_roles', array( 'customer' ) );
					if ( property_exists( $userdata, 'roles' ) && ! empty( $userdata->roles ) && ! array_intersect( $userdata->roles, $shop_manager_editable_roles ) ) {
						$caps[] = 'do_not_allow';
					}
				}
			}
			break;
	}
	return $caps;
}

Workaround – remove/comment part with condition for ‘shop_manager’ or use ‘woocommerce_shop_manager_editable_roles’ custom filter to not restrict editable roles for superadmin.

[Vladimir]

No need in access to your site copy. I just re-tested WC v. 3.4.6 and reproduced the issue.
Good news: All roles are in place and just not shown while WooCommerce is active. I investigated the issue and found a serious bug in WooCommerce code:

Look at the line #339. current_user_can() always returns true for WP multisite superadmin user. Thus this code hides all roles except ‘customer’. This function is located inside ‘includes/wc-user-functions.php’ file.
It’s a new behaviour. This code was added from version 3.4.6

You have 2 variants until they fix this:

1) rollback to prev. version of WC 3.4.5

or

2) comment lines 339-342 in the updated function. It looked this way at version 3.4.5:

function wc_modify_editable_roles( $roles ) {
    if ( ! current_user_can( 'administrator' ) ) {
        unset( $roles['administrator'] );
    }
    return $roles;
}

[Vladimir]

I don’t have solution for this purpose. While it’s possible to block access to admin menu items and related URLs, URE Pro does not manage access inside allowed pages.

[Vladimir]

Do you have files (without wp-content/uploads folder) & database copy before update to 4.48?
I’m ready to test this update with your files/data to isolate a problem if it will be repeated, while I don’t even imagine currently what my cause it.

[Author]

Posts