[Vladimir]

Hi Jake!

Good news that they work on a problem. Let’s wait for the update.

[Vladimir]

The fix was included into version 4.47.3, which I published today.

[Vladimir]

I published version 4.47.3 today, which includes the update for this issue:
* Update: Content view restrictions add-on: meta box is added with ‘low’ priority now instead of ‘default’. It’s done for compatibility with custom post types (like “LearnPress->Courses”) for which this meta box was not shown.

[Vladimir]

Thanks for finding this. Line 434 at meta-boxes.php has a syntax error. It should use ‘.’ operator for strings concatenation instead of ‘+’. So valid code will be:

return array('result'=>'success', 'message'=>'Widgets permissions for '. $ure_object_name, 'html'=>$html);

I will include this fix into the next version 4.47.3. Let me know the result of your testing with updated version of this file.

[Vladimir]

Thanks for your help in isolating this bug. I will publish the fix.

[Vladimir]

Hi,

Go to every subsite where you have a problem and check if ‘Administrator’ role there has those custom post types capabilities granted.

[Vladimir]

Jake,

Thanks for this and upcoming information. The author of this topic have made the same and did not get response from BB developers yet.

[Vladimir]

Thanks.
I repeated the issue. Problem is not obvious and needs some time for the investigation. I will inform you as I get the result.

[Vladimir]

User should have ‘edit_posts’, ‘edit_published_posts’ capabilities in order to edit own posts. ‘edit_others_posts’ is required to edit a post created by other user.

Did you set edit restriction for such user?
If ‘Yes’, such restriction does allow him to edit the posts just from the list which you allowed for him. WordPress internally creates new post and then reopen it for edit. That’s why edit permission error may be shown.

[Vladimir]

Can you share this plugin .zip with support [at-sign] role-editor.com via DropBox or Google Drive? I will look what is going on then.

[Vladimir]

Try to install this code (theme’s functions.php or Must Use plugin):

add_filter('ure_users_select_primary_role', 'my_users_select_primary_role', 10, 1);
function my_users_select_primary_role($select) {

    $user = wp_get_current_user();
    if (in_array('user-manager', $user->roles)) {
        $select = false;
    }
    
    return $select;
}

add_filter('ure_show_additional_capabilities_section', 'ure_show_additional_capabilities_section');
add_filter('ure_bulk_grant_roles',  'ure_show_additional_capabilities_section');

 
function ure_show_additional_capabilities_section($show) {

    $user = wp_get_current_user();
    if (in_array('user-manager', $user->roles)) {
        $show = false;
    }

    return $show;
}

Replace ‘user-manager’ with your own user role ID.

[Vladimir]

I got a copy of Beaver Builder Pro plugin version 2.1.2.4 for testing from one of the clients. The result of my investigation below:

User Role Editor (URE) does not limit superadmin – for WordPress single site URE counts as a superadmin any user with ‘administrator’ role and uses WordPress’s own is_super_admin() function for the multisite installation only. URE is written this way as WordPress counts as a superadmin for single site installation any user with ‘delete_users’ capability. Such user is not a real superadmin for many cases with multiple users who can edit users only with limited roles available for the selection.

Beaver Builder (BB) plugin developers counts that they may work with user permissions very-very freely. If WordPress counts someone as a superadmin, but he does not have ‘administrator’ role for some reason. let’s grant this role to him. Why not?

Thus, even if you did not plan to grant to someone the ‘administrator’ role, just allow him to delete users, BB plugin will make it for you very freely and easily.
My conclusion – it’s incorrect way of working with user permissions.

In theory BB should grant not ‘administrator’ role, but the full list of BB capabilities only and not directly to a current user, but to ‘administrator’ role only. Some subset may be granted to editor role, etc. Leave the decision what user what permission has at the site to the site administrator, do not decide so critical question for him behind the scene.

Workaround: comment lines 255, 256, 257 at bb-plugin/classes/class-fl-builder-user-access.php file and do not forget to repeat that after every BB plugin update until they update this part of code with something more compatible with security requirements.

[Vladimir]

Hi,

I do not see such way in URE Pro.

[Vladimir]

Hi,

I don’t have a ready to use solution on hands.

robots.txt may give some initial help. Dissalow for bots a folder where you store PDFs.

In general, for a strong security you have to place files into the restricted folder (closed for public) and use special script which will provide content of selected file for the authorized users only.

[Vladimir]

Hi,

User manager with 2 capabilities:
– list_users,
– edit_users
does not see ‘Capabilities’ link under user role. It’s enough to open user profile to change a role(s) granted to user.
It’s possible to hide from such user manager a primary role controls using URE custom filter, like this:

add_filter('ure_users_select_primary_role', 'my_users_select_primary_role', 10, 1);
function my_users_select_primary_role($select) {

    $select = false;
    
    return $select;
}

This filter does not take effect for site superadmin.

You may add this code to the active theme functions.php file or setup it as a Must Use plugin.

[Author]

Posts