User restrictions broken?!

  • I installed and have been playing around with WordPress, and I just discovered something very, very odd: on my installation, user restrictions seem to be broken!
    For example, I have one admin user set to level 10, and three users set to level 1. According to the documentation, these three users should be able to post and edit their own posts. Instead, there are links visible for ALL posts to be edited…and they’re functional. Each user can edit each other’s posts.
    It is worth noting that, in the admin section, if I select “edit”, I only get “edit” links on a given user’s posts…but if I update the url to a different (another user’s) post, I am free to edit and save the post there as well.
    So what gives? Is this the way it is designed (which I doubt), or is something going awry with my installation (and I’m taking suggestions on what it might be).
    Thanks in advance.

Viewing 6 replies - 1 through 6 (of 6 total)

  • You can get the edit buttons to disappear too by making the following edits to “template-functions-links.php” in “wp-includes”:
    Locate the function “edit_post_link”.
    1. Add $user_login as a global variable.
    change

    global $user_level, $post;

    to

    global $user_level,$post,$user_login;

    2. Change the conditional as shown in the previous post.
    change

    if ($user_level > 0)

    to

    ($user_level == $authordata->user_level && $user_login != $authordata->user_login))

    Oh, but make sure that you don’t just make the edit buttons go away… be sure you edit wp-admin/post.php as well, or people will still be able to edit each others’ posts by forging the link. That’s called bad security.

    I don’t know much about security, so I wouldn’t touch that issue.
    But I’d rather call the whole user level thing a fatal misconception in most of the publishing software! It seems that everybody thinks they have to put in some kind of user level system – since everybody else does – but nobody really gives it a thought how to make it functional.
    (If it is merely a personal blog, i.e. with one single poster, you don’t really need “levels” – it just doesn’t make sense. Maybe a simple registration possibility for commenters, in order to avoid spam comments. That’s it.)
    On the other hand, if someone is going to use it as community tool, i.e. having many authors and contributors, then the user level system becomes of vital importance. However I haven’t seen yet one blog tool or CMS that would explore correctly the potential of having user levels. My guess is because for this you may need a basic understanding of how a “publishing hierarchy” works in the real life ??
    Based on pieces that I have seen all over the web, if I was a coder I’d put together the following level system:
    1. Registered member/user
    – can post only comments
    2. Author/writer/contributor/you_name_it
    – can post comments (of course)
    – can post in one assigned category
    – can edit own posts while in Draft (but cannot publish)
    Here is the trick! Instead of the “Publish” button, when they are ready they “send” the article (a.k.a. post) to a higher level, and that action makes the article/post editable ONLY by the next level user(s), let’s call it
    3. Editor/Category Editor
    – has all the privileges above, plus
    – can proofread, edit and publish in his category
    4. Big Chief ??
    – all of the above, but
    – can edit and publish in every category
    5. Admin/Owner
    – all of the above
    + layout
    + Options etc.
    You could fine tune it, e.g. adding a “comments editor” = can edit all the junk comments ?? between 2. and 3, or you might have a “designer, CSS guru” just below the Admin… but that doesn’t alter the main idea: when it comes to a work-flow, too much “democracy” hurts (LOL); it has to be functionally hierarchical! Otherwise it’s a chaos. I used to work in the paper media, though in a computerized environment. And while I was at level 3. in the above schema, the final publish button was at level 4. Once sent there, I couldn’t reach it.
    Just my 2c.

    You can get the edit buttons to disappear too by making the following edits to “template-functions-links.php” in “wp-includes”:
    Locate the function “edit_post_link”. Replace the whole thing with this:

    function edit_post_link($link = ‘Edit This’, $before = ”, $after = ”) {
    global $user_level,$post,$user_login;

    get_currentuserinfo();

    if ($user_level > 0) {
    $authordata = get_userdata($post->post_author);
    if ($user_level <= $authordata->user_level && $user_login != $authordata->user_login) {
    return;
    }
    } else {
    return;
    }

    $location = get_settings(‘siteurl’) . “/wp-admin/post.php?action=edit&post=$post->ID”;
    echo “$before $link $after”;
    }

    This makes it so that only the person who posted the post can edit their post, unless your a higher level. E.g. Admin see’s ‘Edit This’ for all posts, but level 1 user only see’s ‘Edit This’ for their own posts and level 2 users can see ‘Edit This’ for their own posts as well as all level 1 user’s posts. This is different from the code above but, and I believe works better. I really want to thank whoever posted that above because it really helped me to set this up.

    Oh, and this is secure. If you change the link, it won’t let you edit the post unless you’re logged in as the user.

    johnnyroxxor > Thanks, I tried your change on my test installation. I think it’s working but I’m not sure what I should be seeing.

    For comments left by a test user I created, I get this when I try to post a comment:
    Sorry, the comment form is closed at this time.

    For the original comment which comes with the default install, I get the opportunity to comment, although it goes into the moderation queue.

    The information I gave was only for the function named:
    function edit_post_link()

    Not the function following for comments. I’m not exactly sure what the problem is there, probably a problem in the WordPress control panel. Maybe you need to select an option under the tab OPTIONS. Then there is a subtab called DISCUSSION. And under the option ‘Before a comment appears:’

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘User restrictions broken?!’ is closed to new replies.