Open rvdsteege opened 6 months ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Is there someone from the @Cloudflare team who can review the PR and merge it if possible?
Confirmation
WordPress version
6.4.3
Cloudflare-WordPress version
4.12.6
PHP version
7.4.33
Expected result
A user with a custom role which has the
manage_options
capability, being able to purge the cache through the Settings → Cloudflare page.Actual result
When clicking the "Cloudflare" admin menu item, an empty page is displayed and
CONFIG_FETCH_ERROR
andZONES_FETCH_ERRORS
errors occur in the console.Steps to reproduce
manage_options
capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)Additional factoids
It appears that the changes from https://github.com/cloudflare/Cloudflare-WordPress/pull/529 are causing the issues (released in version
4.12.3
). The "Cloudflare" admin menu item requires themanage_options
capability and the WordPress AJAX actioncloudflare_proxy
— which seems needed to load the settings page — is checking for theadministrator
role.https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/Hooks.php#L82-L87
https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/Proxy.php#L56-L60
It might be better to check against the
manage_options
capability in the proxy too, so both will be checking the same requirement to access the settings page.Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using
current_user_can()
is discouraged:https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/WordPressAPI.php#L159-L165
https://github.com/cloudflare/Cloudflare-WordPress/blob/58db13b91fbd5e8613a8599d58cf05d04914d7e6/src/WordPress/WordPressWrapper.php#L39-L42
References
https://github.com/cloudflare/Cloudflare-WordPress/pull/529