Notifications
Clear all

[Solved] This plugin breaks permission for all admin pages

7 Posts
3 Users
0 Likes
1,490 Views
Posts: 27
Customer
Topic starter
(@mathias-latournerie)
Member
Joined: 3 years ago

Hello,

I found a bug in the plugin that completely break the permissions for my forum admins.

If you are a user with some admin access on WPForo but are not a WP Admin, you can't access your admin pages anymore because of a bug in "wpforotpx.php" in the "admin_menu_order" function.

I've spent hours trying to understand what was wrong with my install as my forum admins and moderators told me they were getting an error saying "Sorry,  you are not allowed to access this page." when trying to access their admin pages (ex: wpforo-settings)

If you are not a WP admin, you won't get the "Topic Prefix" submenu, and in return the "admin_menu_order" function will replace the $submenu global variable with an empty array, breaking the WP "user_can_access_admin_page" function.

I'm not sure about the best way to fix this, I just made a workaround to not unset the menu if the replacement is empty, but in my opinion, the issue is that people with WPForo "Full Access" should get access to the submenu in the first place.

So all in all, I believe the underlying issue is that the "wpforo_current_user_is" should check for the "fullaccess" permission when trying to see if someone is a forum admin. However, as I'm not sure what the implications would be, I didn't modify this function myself.

I would like my forum admin ("fullaccess") to be able to change the plugin settings like they are able to do for your other addons.

Regards.

6 Replies
Astghik
Posts: 5859
Admin
(@astgh)
Illustrious Member
Joined: 6 years ago

@mathias-latournerie,

This is designed to work in this way. We may provide you with a hook code for this case if you want. You'll simply need to add the code in the functions.php file it'll as you expected. 

Reply
5 Replies
Customer
(@mathias-latournerie)
Joined: 3 years ago

Member
Posts: 27

@astghik I can assure you it is not designed to work like this :p

There's a misunderstanding. I can hear that you designed it in a way that only WP admin can access the plugin settings (and in that case, yes, I would like to get this hook to make my forum admins have access too).

However it is not designed to cause a major bug in the admin area itself! I'm going to give another example but please re-read my message.

Without "Prefix plugin" => Users with "fullaccess" can open the "Settings" page and users with "Moderation access" can open the "Moderation" panel in the WP admin area.

With plugin => They can't! Because the plugin has a bug that breaks permissions for other pages than itself! That's a major bug and I can't update the plugin until it is fixed.

Regards.

Reply
 Tom
Admin
(@tomson)
Joined: 9 years ago

Famed Member
Posts: 4168

@mathias-latournerie,

Thank you for the information. We'll check it and release the addon update asap.

Reply
Customer
(@mathias-latournerie)
Joined: 3 years ago

Member
Posts: 27

@tomson Hello, any news on this please? It's been more than 5 months

Reply
 Tom
Admin
(@tomson)
Joined: 9 years ago

Famed Member
Posts: 4168

@mathias-latournerie,

Please make sure you use the latest 1.0.3 version.

Reply
Customer
(@mathias-latournerie)
Joined: 3 years ago

Member
Posts: 27

@tomson Oh did you just released a new version? Sorry I updated yesterday. Ok I will update then, thanks!

Reply
Share:
Scroll to top