andyburnsco
commented
3 years ago So this https://github.com/civicrm/civicrm-wordpress/pull/231 not this plugin
Closed andyburnsco closed 3 years ago
andyburnsco
commented
3 years ago So this https://github.com/civicrm/civicrm-wordpress/pull/231 not this plugin
christianwach
commented
3 years ago @andyburnsco The "action links" you point to in the code are visible below the this plugin on the "Plugins" screen in WordPress Admin. By definition they are only visible to those with access to the "Plugins" page, which means they have manage_options in Single Site and manage_network_options in Multisite. As a result, I'm pretty sure they need no capability check.
Your screenshot shows the CiviCRM "Settings" page link introduced in 5.34 and, as you rightly point out in your follow up comment, has the wrong access capability assigned. Thanks for catching this - I'll create a PR there.
christianwach
commented
3 years ago @andyburnsco https://lab.civicrm.org/dev/wordpress/-/issues/96
christianwach
commented
3 years ago
For the submenu settings link in the left admin bar underneath CiviCRM, no permission exist on who can access them. It appears if you can _accesscivicrm, you can see the link. The settings link should require _administercivicrm.
https://github.com/christianwach/civicrm-admin-utilities/blob/master/civicrm-admin-utilities.php#L519
On Version 0.8.3.
On Civi 5.35.0 this is occurs. On Civi 5.31.0 it does not. Something changed in core.