[buddypress-trac] [BuddyPress] #4991: manage_options capability required for non-super admin xprofile editing

buddypress-trac noreply at wordpress.org
Tue May 14 18:33:21 UTC 2013 

#4991: manage_options capability required for non-super admin xprofile editing
------------------------------------+------------------
 Reporter:  danzigism               |       Owner:
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  1.8
Component:  XProfile                |     Version:  1.7
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |
------------------------------------+------------------
Changes (by r-a-y):

 * keywords:   => has-patch dev-feedback
 * component:  Core => XProfile
 * milestone:  Awaiting Review => 1.8


Comment:

 > Prior to 1.7.1 the only requirement for non-super admins to edit other
 users' extended profiles is that they only needed the "edit_users"
 capability as defined in bp-members-functions.php

 In older versions of BP (1.5 and below), you had to explicitly be a super
 admin in order to edit a user's profile and avatar.
 [https://buddypress.trac.wordpress.org/browser/tags/1.5.7/bp-xprofile/bp-
 xprofile-screens.php#L35 1.5 example].

 In BP 1.6, you could give non-super admins the "bp_moderate" capability
 (not "edit_users") to edit the profile and avatar.
 [https://buddypress.trac.wordpress.org/browser/tags/1.6/bp-xprofile/bp-
 xprofile-screens.php#L41 1.6 example].

 In BP 1.7, this appears to be more restricting as of r6844.  Read lines
 233-234 of the inline doc.

 I'm only basing this off the inline doc, but it appears that if a user has
 the "bp_moderate" cap, you would also need the "manage_options" cap in
 order to edit a user's profile.  This is probably what you meant in your
 original report, danzigism.  The phpDoc for that function also says that
 this is temporary, so I'm not sure what the end goal is.

 With that being said, `4999.01.patch` (disregard the wrong ticket number!)
 will allow you to check the "edit_users" capability as well, but I'm not
 sure if the other devs intended for this to happen.  I don't believe this
 will do any harm though.

 '''Devs:''' Are there places where `bp_current_user_can( 'bp_moderate' )`
 should be replaced with `bp_core_can_edit_settings()`?  I can see a couple
 of instances where we could do this such as activity deletion and
 spamming.

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/4991#comment:2>
BuddyPress <http://buddypress.org/>
BuddyPress

More information about the buddypress-trac mailing list