[Vladimir]

Thank you for this information. I will continue tomorrow. It’s too late today here (GMT+7).

[Vladimir]

“Tools->Delete Site” menu item is protected by meta capability ‘delete_site’, which is mapped finally to the real ‘manage_options’ capability. Your modified ‘editor’ role has ‘manage_options’ capability. This explains 1) why user with editor role has access to the ‘Tools->Delete Site” menu item.

I made quick test and “Admin menu access” hides/blocks this menu item successfully for the WordPress built-in admin theme. I suppose that User Role Editor is not compatible with “clientside” plugin. Can you deactivate this plugin temporally and look if “Delete Site” menu item will be hidden for a user with ‘editor” role?

I will try to answer on VC and mailgun part of your question tomorrow.

[Vladimir]

Hi Danny,

“Show theme/plugin notices to admin only” option at URE’s option page uses WordPress built-in admin theme CSS classes to hide HTML element simply changing its ‘display’ property to ‘none’.

I think that ‘clientside’ plugin redefines notices part HTML/CSS structure. So this URE’s simple hack stopped working.

You may try more advanced technique to force WordPress do not output such notices at all. May be it will work this way for the modified admin theme.

It’s possible to use role additional options for that. Additional option code to hide admin notices is described here.

[Vladimir]

This code switches off WooCommerce 3.4.6 roles changing code for WordPress multisite superadmin:

add_action( 'admin_init', 'fix_for_wc_436');

function fix_for_wc_436() {

    if ( ! is_multisite() or ! is_super_admin() ) {
        return;
    }
    
    remove_filter( 'editable_roles', 'wc_modify_editable_roles' );
    remove_filter( 'map_meta_cap', 'wc_modify_map_meta_cap', 10 );

}

[Vladimir]

Send credentials to support [at-sign] role-editor.com

[Vladimir]

I’m ready to analyse the reported issues with admin menu. The most quick way is to setup a copy of your site at my development environment. Is it possible to get files (without wp-content/uploads) and database copy of your site (may be stage one, without wp_users table) for this purpose?

[Vladimir]

Hi,
About a problem with roles list – it’s a WooCommerce bug introduced at version 3.4.6.
More information:

Update 4.48 – User role only customer on Multisites

https://wordpress.org/support/topic/woocommerce-blocks-super-admin-permissions/

[Vladimir]

There is one more function at the same file, which may prevent superadmin from editing users without ‘Customer’ role:

function wc_modify_map_meta_cap( $caps, $cap, $user_id, $args ) {
	switch ( $cap ) {
		case 'edit_user':
		case 'remove_user':
		case 'promote_user':
		case 'delete_user':
			if ( ! isset( $args[0] ) || $args[0] === $user_id ) {
				break;
			} else {
				if ( user_can( $args[0], 'administrator' ) && ! current_user_can( 'administrator' ) ) {
					$caps[] = 'do_not_allow';
				}

				// Shop managers can only edit customer info.
				if ( current_user_can( 'shop_manager' ) ) {
					$userdata = get_userdata( $args[0] );
					$shop_manager_editable_roles = apply_filters( 'woocommerce_shop_manager_editable_roles', array( 'customer' ) );
					if ( property_exists( $userdata, 'roles' ) && ! empty( $userdata->roles ) && ! array_intersect( $userdata->roles, $shop_manager_editable_roles ) ) {
						$caps[] = 'do_not_allow';
					}
				}
			}
			break;
	}
	return $caps;
}

Workaround – remove/comment part with condition for ‘shop_manager’ or use ‘woocommerce_shop_manager_editable_roles’ custom filter to not restrict editable roles for superadmin.

[Vladimir]

No need in access to your site copy. I just re-tested WC v. 3.4.6 and reproduced the issue.
Good news: All roles are in place and just not shown while WooCommerce is active. I investigated the issue and found a serious bug in WooCommerce code:

Look at the line #339. current_user_can() always returns true for WP multisite superadmin user. Thus this code hides all roles except ‘customer’. This function is located inside ‘includes/wc-user-functions.php’ file.
It’s a new behaviour. This code was added from version 3.4.6

You have 2 variants until they fix this:

1) rollback to prev. version of WC 3.4.5

or

2) comment lines 339-342 in the updated function. It looked this way at version 3.4.5:

function wc_modify_editable_roles( $roles ) {
    if ( ! current_user_can( 'administrator' ) ) {
        unset( $roles['administrator'] );
    }
    return $roles;
}

[Vladimir]

I don’t have solution for this purpose. While it’s possible to block access to admin menu items and related URLs, URE Pro does not manage access inside allowed pages.

[Vladimir]

Do you have files (without wp-content/uploads folder) & database copy before update to 4.48?
I’m ready to test this update with your files/data to isolate a problem if it will be repeated, while I don’t even imagine currently what my cause it.

[Vladimir]

Version 4.48 does not contain any changes related to the roles list update.
If you still have access to the URE, then at least one additional role exists – administrator.

Did you activate/update any other/new plugins?

[Vladimir]

Daniel,

All items of ‘WC Invoice’ menu are protected by ‘manage_options’ user capability. It’s hardcoded in plugin source code. Plugin does not provide any filter to change this capability without editing source code.

Admin menu access add-on allows to block for a role critical menu items, which you can not block via user capabilities.

[Vladimir]

Daniel,

You have 2 options:
1) ask that plugin support what permission is required for access to its menu;
2) share plugin copy with me (support [at-sign] role-editor.com) via DropBox or similar service in order I can find an answer myself.

[Vladimir]

Hi Daniel,

Give me more details.
What plugin do you use to work with wc invoice?
What menu item do you wish to make available for a user?

[Author]

Posts