search

johngodley / redirection

Manage all your WordPress 301 redirects and monitor 404 errors
https://redirection.me
GNU General Public License v3.0
555 stars 139 forks source link

Feature Request - Restrict User to Editing Redirects in Certain Groups #3006

Open arimgibson opened 3 years ago

arimgibson commented 3 years ago

Summary

Using the redirection_capability_check hooks as listed on the Permissions guide, I think it could be helpful to have a feature that allows an admin to restrict certain users to only manage/add/delete redirects which are assigned a certain group in the Redirection plugin. For example, redirects created by a user with a certain role could be automatically added to a group with that role title, and users with that role would only be able to view and edit redirects in that group.

i.e. A user with the role "Sub-Admin" would create a redirect which would be added to a group of something like "Redirects - Sub-Admin Role". Users with the role "Sub-Admin" would not be able to edit roles outside of this group.

The inspiration and example use case of this feature is for a website I'm currently developing, where users of a certain role are meant to create "shortlinks". Access is given through an extremely limited admin panel, only allowing them access to the Redirection plugin page. This access is further restricted by using the redirection_capability_check hook to limit them to manage/add/delete redirects. However, I now want to add a redirect for SEO reasons which I do not want to be accidentally deleted by these restricted users.

A proposed implementation of this would be using the "Groups" filter on the plugin page. Depending on the user's role, this filter could be applied and locked. It's very likely this is easy to implement using WP hooks opposed to the Redirection hooks. I am currently looking into this and will post an update if discovered.

Actual Behavior

There is currently no feature that implements this. As far as I know, the closest an admin can get to implementing restrictions is by using the Permissions guide to restrict certain plugin features to users with a certain role or capability.

Another workaround is to use another redirection plugin or add redirects the standard way into .htaccess. However, both of these solutions have downsides. It is possible that redirects could be overwritten/overlap with no easy way to debug; an admin would have to look through multiple plugins and files to determine where the redirects are overlapping. On some hosting platforms, admins aren't given access to the .htaccess file. Lastly, using the .htaccess method isn't always as accessible for novice users.

Steps to reproduce

N/A

Environment

N/A

Thank you all for your fantastic work on this plugin :heart: appreciate that one of my staple WordPress plugins is FOSS

arimgibson commented 3 years ago

Did some digging into how the group filter option is added, was thinking it would added using a WordPress hook but it's just done through JS. The option is added onto the front page using code here and groups are collected using code here through the Redirection API. I hope this information is helpful if someone chooses to take on this feature request :heart:

arimgibson commented 3 years ago

An extremely lazy, temporary solution I came up with... PLEASE do not implement this if you know that people accessing this page know any JS or would want to mess around. This entire solution is broken if the user simply changes the filterby%5Bgroup%5D group value in the URL bar. I'm using this because it wouldn't really matter if someone gets past this method. Consider this a tamper shield and deterrent instead of a lock.

This method WILL NOT continue working after a plugin update. Either disable the Redirection plugin update, or be prepared to follow these steps after each plugin update.

Lastly, make sure that you're giving the URL <site_url>/wp-admin/tools.php?page=redirection.php&filterby%5Bgroup%5D=1 to people who you want to have this tamper shield on.

Steps

1. Update Group ID in Database

Visit your database however you feel most comfortable (phpMyAdmin or CLI). Find the database for your wordpress installation and then browse the table <wordpress table prefix>_redirection_groups. The group you want to use when limiting users should have an ID of 1.

2. The Code

if (new URL(document.location).searchParams.get("filterby[group]") === "1") {
  document.querySelector(".redirect-table__actions > div:nth-child(2)").style = "display: none"
}

3. Adding the Code

Open the WordPress plugin editor and select the "Redirection" plugin in the top right "Select plugin to..." box. On the right side under the header "Plugin Files", find redirection.js. Scroll to the bottom and paste in the code from the previous step.