Feature Request : Permissions filters

hey pheonixgh,
thanks for the long and descriptive post. I haven’t used role scoper myself, but your suggestions sound fine. I’ll take a look at this and see if I can fix something for the next version.

Hey again pheonixgh,
I took a quick look at role scoper but I couldn’t quite figure out how I would implement support for it in my plugin.

Can you give me a hint of what way forward is the correct way, is it for example any of these:

$can_edit = apply_filters("cms_tree_page_view_edit_page_rs", true, $page_id);

$can_edit = current_user_can("cms_tree_page_view_edit_page_rs", $page_id);

Also, must CMS Tree Page View be visible anywhere in the Role Scoper admin for you to be able to use it?

Sorry, lot’s of questions, but I just couldn’t find any good documention for Role Scoper :/

Heya, sorry for the delayed response.
Role Scoper is a very powerful plugin with many different ways to configure things to achieve similar results. I think trying to support it directly would be extremely difficult as it would be highly dependent on each individuals needs and their Role Scoper configuration.

my advise would be to go for something like

$can_edit = apply_filters("cms_tree_page_view_can_edit",current_user_can( $post_type_object->cap->edit_post, $page_id), $page_id);

for can_edit, the current_user_can call will be caught by RS automatically and it custom post type friendly, and the new filter would let you add any additional checking if required.

the bits that i need are something like:

$can_add_after = apply_filters("cms_tree_page_view_can_add_after", current_user_can( $post_type_object->cap->create_posts), $page_id);
$can_add_inside = apply_filters("cms_tree_page_view_can_add_inside", current_user_can( $post_type_object->cap->create_posts), $page_id);

these check for basic publish permissions for the post type via current_user_can again this will be caught by RS which may be sufficient in many situations, if not the filters let you add some extra checking.

these filtered results can then be used to both control the display of the add links but also check for correct permissions in the ajax function.

hope that makes sense. :S

Makes sense! ?? Thanks. Update coming today! Try it and let me know if it seems to work for you.

Thanks for the update, looks good, two things however,

i would recommend you have the default permission value for the two “add” functions default to the $post_type_object->cap->create_posts capability rather than the edit post, as per my last post. as it will then be a bit more likely to work out of the box with any permission changes that may have been made. Its not the end of the world as the filter lets me override when i need to anyway but it would make sense to check the more relevant permission.

secondly i would suggest adding the same user_can_add_xxx permission check and filter calls to the ajax function that does the actual adding as otherwise it is possible for any logged-in user to call this function and add pages regardless of their permissions. So whilst you hide the buttons its a bit of a security hole.

lastly is there any chance you could add the same functionality to your
“Admin Menu Tree Page View” plugin.

Hi again,
I’m adding your last fixes as I type.

Regarding Admin Menu Tree Page View you are free to submit a patch for this if you want to, however I don’t use that plugin so frequently myself so I’m a bit to lazy to fix that right now. Sorry :/

Hi,
Sorry to hijack your 10 month old thread, but I just installed the cms-tree-page-view plugin and it at once says “Undefined property: stdClass::$create_posts in …/cms-tree-page-view/functions.php”.

I’ve been googling around for caps and permission checkings and I’m stuck at one question:
– Is create_posts really a default cap value?

It’s never listed when people talking about post_type_object->cap and I can’t find it anywhere in /wp-includes/capabilities.php.