search

helgatheviking / Nav-Menu-Roles

Display / Hide wp_nav_menu() items by role
66 stars 32 forks source link

Routes are not protected #35

Closed boutmos closed 5 years ago

boutmos commented 5 years ago

Hi,

If I log as an admin and copy category URL, then login as default user (who have not permission to see this category), I can acces it just by pasting the URL.

This pluggin only hide ? or did I messed a thing ?

Thank you

helgatheviking commented 5 years ago

IMPORTANT NOTE

In WordPress menu items and pages are completely separate entities. Nav Menu Roles does not restrict access to content. Nav Menu Roles is only for showing/hiding nav menu items. If you wish to restrict content then you need to also be using a membership plugin.

Routes have never been protected by this plugin. It only shows/hides the menu items

boutmos commented 5 years ago

A lot of code for few things finally hide/show Main code is to put radio en check boxes into administrator panel ? Thank you.

helgatheviking commented 5 years ago

I don't understand what you are asking. All the code is required.

boutmos commented 5 years ago

I mean heavy code for just a Hide / show ... sorry

I looked into translation files .mo and .po, why some home them are in wp-content/languages/plugins and others into wp-content/plugins/nav-menu-roles/languages

helgatheviking commented 5 years ago

It's not heavy code... It's all the code that is required, no more, no less. It could be less, but WordPress hasn't added the hook I need in the menu admin in going on 9 years.

You should store your translations in the wp-content/languages/plugins folder. However, I still load some legacy language files from the plugin folder, but I don't maintain them now that WordPress hosts language packs.

If you want to submit a translation you should go to https://translate.wordpress.org/

boutmos commented 5 years ago

Thank you.

lkraav commented 5 years ago

It could be less, but WordPress hasn't added the hook I need in the menu admin in going on 9 years.

@helgatheviking can you provide the core issue link for me?

helgatheviking commented 5 years ago

It's in the readme, please check there

On Tue, Sep 17, 2019, 3:52 AM Leho Kraav notifications@github.com wrote:

It could be less, but WordPress hasn't added the hook I need in the menu admin in going on 9 years.

@helgatheviking https://github.com/helgatheviking can you provide the core issue link for me?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/helgatheviking/Nav-Menu-Roles/issues/35?email_source=notifications&email_token=AAD3ZEOPUOZZ6O5KCSLAXSLQKCSHJA5CNFSM4IXB6ZC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD637KMY#issuecomment-532149555, or mute the thread https://github.com/notifications/unsubscribe-auth/AAD3ZEPBBY5MF4AHIBPXZWTQKCSHJANCNFSM4IXB6ZCQ .

boutmos commented 4 years ago

Made this in Functions.php, an advantage is that we can't see links into HTML code, but hardcoded. luckily my user role won't change at all. It is not user friendly like a plugin but we can quickly edit 'ACL' into the global $privileges array when menu have to change.

I add some security to protect routes/URL with this plugin : 'protect-pages-and-categories-with-login'

$privileges = array(
  'administrator'   => array(
    'Accueil',
    'Espace Etudiants',
    'Espace Enseignants',
    'Trombinoscopes',
    'Applications',
    'Mon Compte',
    'Réinitialisation du mot de passe',
  ),
  'etudiant'        => array(
    'Accueil',
    'Espace Etudiants',
    'Trombinoscopes',
    'Applications',
    'Mon Compte',
  ),
  'enseignant'      => array(
    'Accueil',
    'Espace Etudiants',
    'Espace Enseignants',
    'Trombinoscopes',
    'Applications',
    'Mon Compte',
  ),
  'aitos'           => array(
    'Accueil',
    'Trombinoscopes',
    'Mon Compte'
  ),
  'exterieur'       => array(
    'Accueil',
    'Espace Enseignants'
  ),
  'vacataire'       => array(
    'Accueil',
    'Vacataire'
  ),
  'author'          => array('Author'),
  'contributor'     => array('Contributor'),
  'editor'          => array('Editor'),
  'subscriber'      => array('Subscriber')
);

/**
 * Filter menu items according to the rights assigned in the array $privileges (global)
 */
function role_filter_menu($sorted_menu_objects, $args) {
  global $privileges;
  if ( is_user_logged_in() ) {
    $current_user = wp_get_current_user();
    foreach ($sorted_menu_objects as $key => $menu_object) {
      // can also check for $menu_object->url for example
      // see all properties to test against:
      if ( ! in_array( $menu_object->title, $privileges[$current_user->roles[0]] ) ) {
        unset($sorted_menu_objects[$key]);
      }
    }
    return $sorted_menu_objects;
  }
}
add_filter('wp_nav_menu_objects', 'role_filter_menu', 10, 2);
helgatheviking commented 4 years ago

@boutmos that looks like a hard-coded version of what Nav Menu Roles does, but filtering wp_nav_menu_objects doesn't provide any route security. Use something like Members for that.