-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Empty settings page for users with custom role having the manage_options
capability
#544
Open
2 tasks done
Comments
rvdsteege
added a commit
to rvdsteege/Cloudflare-WordPress
that referenced
this issue
Jul 29, 2024
Fix empty settings page for users with `manage_options` capability (cloudflare#544).
rvdsteege
added a commit
to rvdsteege/Cloudflare-WordPress
that referenced
this issue
Jul 29, 2024
…d no administrator role (cloudflare#544).
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Is there someone from the @cloudflare team who can review the PR and merge it if possible? |
As I have not heard anything since opening this issue in April, I reported it through Cloudflare support. The case ID is 01317769. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Confirmation
WordPress version
6.4.3
Cloudflare-WordPress version
4.12.6
PHP version
7.4.33
Expected result
A user with a custom role which has the
manage_options
capability, being able to purge the cache through the Settings → Cloudflare page.Actual result
When clicking the "Cloudflare" admin menu item, an empty page is displayed and
CONFIG_FETCH_ERROR
andZONES_FETCH_ERRORS
errors occur in the console.Steps to reproduce
manage_options
capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)Additional factoids
It appears that the changes from #529 are causing the issues (released in version
4.12.3
). The "Cloudflare" admin menu item requires themanage_options
capability and the WordPress AJAX actioncloudflare_proxy
— which seems needed to load the settings page — is checking for theadministrator
role.Cloudflare-WordPress/src/WordPress/Hooks.php
Lines 82 to 87 in dd13e15
Cloudflare-WordPress/src/WordPress/Proxy.php
Lines 56 to 60 in dd13e15
It might be better to check against the
manage_options
capability in the proxy too, so both will be checking the same requirement to access the settings page.Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using
current_user_can()
is discouraged:Cloudflare-WordPress/src/WordPress/WordPressAPI.php
Lines 159 to 165 in dd13e15
Cloudflare-WordPress/src/WordPress/WordPressWrapper.php
Lines 39 to 42 in 58db13b
References
#529
The text was updated successfully, but these errors were encountered: