search

JoryHogeveen / view-admin-as

View the WordPress admin as a different role, switch between users, temporarily change your capabilities, set default screen settings for roles, manage your roles and capabilities.
https://wordpress.org/plugins/view-admin-as/
GNU General Public License v2.0
45 stars 4 forks source link

Compatibility issue: We currently overwrite other user_has_cap filters. #56

Closed JoryHogeveen closed 7 years ago

JoryHogeveen commented 7 years ago

When other plugins use the user_has_cap filter, VAA overwrites this in a view.

It might be more logical to put our filters at as first, so all other plugin's can still do their magic. This way the filter get's actually run as if it's a different role instead of a being overwritten by view admin as.

Extra: Maybe it's good to use the user_has_cap filter in our map_meta_cap filter as well to ensure we get the proper capability modifications from other plugins.

pbiron commented 7 years ago

Thanx for addressing this.

For others, the underlying issue is as follows:

when VAA is run in a multisite environment and the current user is a super admin, if some other plugin has hooked into user_has_cap and the hooked function modifies a user's capabilities based on that users role, then that function hooked to user_has_cap never gets called when "Viewing as role"...because WP Core's WP_User::has_cap() short circuits when the current user is a super admin.

JoryHogeveen commented 7 years ago

@pbiron

Please check the latest dev branch for the fix! https://github.com/JoryHogeveen/view-admin-as/tree/dev PR: #54

I actually did what I proposed above (and I now see you proposed something quite similar in your plugin comments). You can review the changes in the PR.

It's way more logical to run the user_has_cap filter at the beginning so all other plugins can run their filters based on the modified user. (I actually make temporarily changes to the current user when viewing as a role or with modified capabilities). I've also applied the user_has_cap filter within the map_meta_cap filter to make sure these capability changes apply here as well for super admins.

Thanks again for your input.

JoryHogeveen commented 7 years ago

Already found the first issue.

When you are not a super admin but this plugin is still activated through the view_admin_as capability "Restrict User Access" overwrites our the full list of capabilities (priority 9).

Related: https://github.com/intoxstudio/restrict-user-access/pull/11

JoryHogeveen commented 7 years ago

@pbiron If you have the time, please confirm the current dev branch status fixes your problem 100%. 1.7.2-rc1 is done.

PS: Since it's related, what is your opinion on #53?