Incorrect User Capability check in location.php

  • Resolved Stonehenge Creations

    (@duisterdenhaag)


    3 years, 3 months ago

    Hi ??

    While processing the Locations Types code changes for the upcoming EM-OSM add-on update, I came across an incorrect user capability check regarding physical EM Locations in /events-manger/templates/forms/event/location.php, line 55.

    if( get_option('dbem_use_select_for_locations') || !$EM_Event->can_manage('edit_locations','edit_others_locations') )

    This check is used to determine whether to show the Locations Dropdown or the Location Address fields in the “Where” Metabox in the Edit Event page.
    Using the Address fields users can only select previously created locations through Ajax or create a new location. Editing an existing location can only be done in the Edit Location page.

    Since the ‘edit_locations’ capability starts with Contributor (and up) and the “Reset form” link does not check any capabilities, shouldn’t the check be for ‘publish_events’ (Administrators and Editors only)?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support angelo_nwl

    (@angelo_nwl)

    Hi,

    I see what you mean, I’m going to let the Devs know about this.

    Plugin Author Marcus (aka @msykes)

    (@netweblogic)

    Hi, I think this is correct. edit_locations is the minimum requirement to create a location, not publish_location. This check decides to show a dropdown if ddms are specifically chosen for use, or if not, whether the user has access to create new locations. If not, then ddm is shown with relevant accessible locations.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Incorrect User Capability check in location.php’ is closed to new replies.