[buddypress-trac] [BuddyPress Trac] #8355: Site Admins cannot edit BP emails

buddypress-trac noreply at wordpress.org
Thu Sep 3 22:11:14 UTC 2020 

#8355: Site Admins cannot edit BP emails
-----------------------------------+---------------------
 Reporter:  shanebp                |       Owner:  DJPaul
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  7.0.0
Component:  Emails                 |     Version:  6.2.0
 Severity:  normal                 |  Resolution:
 Keywords:  has-patch 2nd-opinion  |
-----------------------------------+---------------------
Changes (by imath):

 * keywords:  needs-patch => has-patch 2nd-opinion


Comment:

 So here's the situation, WordPress uses 3 meta capabilities (edit_post,
 read_post, and delete_post) that are mapped to corresponding primitive
 capabilities depending on the context (for our case it's
 `edit_others_posts` & `edit_published_posts`).
 See
 https://developer.wordpress.org/reference/functions/register_post_type/#capabilities.

 Although we map primitive caps to `bp_moderate`, this cap is not part of
 the Administrator's all caps but is mapped to `manage_options` into
 `_bp_enforce_bp_moderate_cap_for_admins()`.

 When WordPress checks for the `edit_post` cap, it adds the `bp_moderate`
 cap to the caps to check, but the `$cap` that is passed to
 `_bp_enforce_bp_moderate_cap_for_admins()` is still `edit_post` and not
 `bp_moderate`.

 So `_bp_enforce_bp_moderate_cap_for_admins()` receives:

 - `$cap = 'edit_post'`,
 - `$caps = array( 'bp_moderate', 'edit_published_posts' )`,
 - The user ID,
 - and `$args = array( $post_id )`.

 and doesn't return `array( 'manage_options' )`, but the unchanged `$caps`.
 As the first admin is the author of the bp_email post_type, he can edit
 it, but other administrators cannot because it's not `edit_other_posts`
 that is checked against the Administrator's role database capabilities but
 `bp_moderate`, which is not into the Administrator's role database
 capabilities 🤪

 A possible way to fix this, is to use the `capability_type` argument of
 the `register_post_type()` function instead of the `capabilities` one and
 to edit `_bp_enforce_bp_moderate_cap_for_admins()` to check some BP
 Administrator's caps which includes `bp_moderate` and the BP Email post
 type capabilities.

 That's what I did in 8355.patch to fix the issue. I'd be happy to have a
 second thought about it 🤔 What do you think about it @boonebgorges ?

-- 
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/8355#comment:4>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac

More information about the buddypress-trac mailing list