Editors lost access

  • stphnwlkr

    (@stphnwlkr)


    5 months ago

    We have been using this for over a year and in one of the recent updates our editors lost access to the tool. Admins have no issues, but they are not normally responsible for the content. Is this a known issue? Is there a way to troubleshoot it to see why. This is in a multisite environment running current versions of everything.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author websevendev

    (@websevendev)

    It was part of a security fix to prevent users without unfiltered_html capability from adding attributes as it can be used maliciously.

    If you trust your editor users then you can grant them the capability.

    You can give the capability to roles:

    add_action('init', function() {
    	if($role = get_role('contributor')) {
    		$role->add_cap('unfiltered_html');
    	}
    });

    Or to individual users:

    add_action('init', function() {
    	if($user = get_user_by('login', 'editor-users-login')) {
    		if(!$user->has_cap('unfiltered_html')) {
    			$user->add_cap('unfiltered_html');
    		}
    	}
    });

    There are probably plugins that allow managing the capabilities without code as well.

    Thread Starter stphnwlkr

    (@stphnwlkr)

    I tried the code, and I tried adding the unfiltered_html capability to Capabilities Pro, and neither seems to work. Capabilities Pro states it is an unrecognized capability.

    Plugin Author websevendev

    (@websevendev)

    Here’s another method to do it, by filtering the capabilities, rather than granting them:

    add_filter('user_has_cap', function($allcaps, $caps, $args, $user) {
    	if(
    		in_array('unfiltered_html', $caps, true)
    		&& in_array('editor', $user->roles, true)
    	) {
    		$allcaps['unfiltered_html'] = true;
    	}
    	return $allcaps;
    }, 10, 4);

    This one should allow unfiltered_html for every user with editor role.

    Thread Starter stphnwlkr

    (@stphnwlkr)

    Still not working in my hosting environment (WordPress VIP). I am also checking with them to see if there is a conflict.

    Thread Starter stphnwlkr

    (@stphnwlkr)

    So, it turns out in multisite that current_user_can will not work on this capability because it is disabled even for admins. Only super admins have access. The team thinks there might be a flaw in Core that needs to be resolved and are researching. The code we used was:

    function multisite_allow_unfiltered_html_per_role( $caps, $cap, $user_id, $args ) { if ( ‘unfiltered_html’ === $cap ) { $user = get_userdata( $user_id ); $roles = $user->roles; foreach ( $roles as $role ) { $role = get_role( $role ); if ( $role->has_cap( ‘unfiltered_html’ ) ) { return $caps = array( ‘unfiltered_html’ ); } } } return $caps; } add_filter( ‘map_meta_cap’, ‘multisite_allow_unfiltered_html_per_role’, 1, 4 );

    This makes it an available capability and we use Capabilities Pro to enable it.

    Plugin Author websevendev

    (@websevendev)

    Ah, interesting. And just to confirm, when you said earlier:

    Admins have no issues, but they are not normally responsible for the content.

    did you mean super admins? Cause if it was regular admins and they weren’t supposed to have unfiltered_html capability but were able to add attributes it might be something I need to look into as well.

    Thread Starter stphnwlkr

    (@stphnwlkr)

    It just so happens that everybody who has been able to use it has super admin rights. I made an assumption that it was because we were admins.

Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.