Forum Replies Created
-
Posts
-
I got a copy of Beaver Builder Pro plugin version 2.1.2.4 for testing from one of the clients. The result of my investigation below:
User Role Editor (URE) does not limit superadmin – for WordPress single site URE counts as a superadmin any user with ‘administrator’ role and uses WordPress’s own is_super_admin() function for the multisite installation only. URE is written this way as WordPress counts as a superadmin for single site installation any user with ‘delete_users’ capability. Such user is not a real superadmin for many cases with multiple users who can edit users only with limited roles available for the selection.
Beaver Builder (BB) plugin developers counts that they may work with user permissions very-very freely. If WordPress counts someone as a superadmin, but he does not have ‘administrator’ role for some reason. let’s grant this role to him. Why not?
Thus, even if you did not plan to grant to someone the ‘administrator’ role, just allow him to delete users, BB plugin will make it for you very freely and easily.
My conclusion – it’s incorrect way of working with user permissions.In theory BB should grant not ‘administrator’ role, but the full list of BB capabilities only and not directly to a current user, but to ‘administrator’ role only. Some subset may be granted to editor role, etc. Leave the decision what user what permission has at the site to the site administrator, do not decide so critical question for him behind the scene.
Workaround: comment lines 255, 256, 257 at
bb-plugin/classes/class-fl-builder-user-access.phpfile and do not forget to repeat that after every BB plugin update until they update this part of code with something more compatible with security requirements.Hi,
I don’t have a ready to use solution on hands.
robots.txt may give some initial help. Dissalow for bots a folder where you store PDFs.
In general, for a strong security you have to place files into the restricted folder (closed for public) and use special script which will provide content of selected file for the authorized users only.
Hi,
User manager with 2 capabilities:
– list_users,
– edit_users
does not see ‘Capabilities’ link under user role. It’s enough to open user profile to change a role(s) granted to user.
It’s possible to hide from such user manager a primary role controls using URE custom filter, like this:add_filter('ure_users_select_primary_role', 'my_users_select_primary_role', 10, 1); function my_users_select_primary_role($select) { $select = false; return $select; }This filter does not take effect for site superadmin.
You may add this code to the active theme functions.php file or setup it as a Must Use plugin.
Widget placed on sidebar is available for everyone by default. That’s why access rule has “Do not show” condition only.
Workaround for the describe issue do not grant to the same user role with different access rule for the same widget. May be create a copy of a role, but without restriction to see a widget and grant it to this user instead of a previous one.
Hi Bjorn,
Good suggestion. Can you provide me a copy of WPML plugins (via DropBox or Google Drive)? I would look how they link posts with different languages and try to hook content view restrictions settings from the main language to other post copies.
Hi,
WPML uses other page instance (db record) for the other language, for which you did not set content view restriction. I don’t have test WPML setup. Check if it’s possible to setup content view restriction for the page copy which you open for English language.
Hi Olivier,
Look at WPML documentation or ask their support how to set permission at WPML itself for other language for translators? May be you need to add a user to the translators list also.
As I mentioned earlier, if ‘Activate “Create” capability for posts/pages/custom post types’ option at URE Settings is turned ON, role requires “create_posts” capability in order to see “Posts->Add new” menu item. The same is true for other post types.
URE shows full admin menu for the ‘administrator’ role only. URE shows admin menu items to which selected role has access only – for all other roles.
Do you see mentioned menu item if you open “Admin menu” for the “administrator” role? Look what capability protects needed menu item there. It will appear at the “Admin menu” for other role after you will grant that capability to a role.
Go to the “Settings->User Role Editor”. Is license key active there? If it does not input your license key there again. Check update process after that.
There is no custom order functionality for admin menu in User Role Editor Pro.
Look at Admin menu editor plugin.Yellow colored option is described here and not related to this topic.
Yes, we can. There is a hook to add additional option for roles.
Code below adds “Add custom CSS” additional option. Custom CSS will be added to the backend for the selected role once you turn this option ON for it.add_filter('ure_role_additional_options', 'ure_custom_backend_css_option', 10, 1); function ure_custom_backend_css_option($items) { $item = URE_Role_Additional_Options::create_item('custom_backend_css', esc_html__('Add custom CSS', 'user-role-editor'), 'admin_init', 'ure_add_custom_backend_css'); $items[$item->id] = $item; return $items; } function ure_add_custom_backend_css() { add_action('admin_head', 'ure_custom_backend_css'); } function ure_custom_backend_css() { ?> <style> # URE custom CSS here </style> <?php }I set this code as a Must Use plugin for testing.
OK. I need to make my own tests with it. What about access to the plugin or theme which registered those menu items?
If it’s not critical for your data, you can export your site (without wp-uploads) using UpdraftPlus plugin and share files with support [at-sign] role-editor.com via DropBox or Google Drive.
