Title: Normal users can modify settings Last modified: August 21, 2016 --- # Normal users can modify settings * Resolved [coNQP](https://wordpress.org/support/users/conqp/) * (@conqp) * [12 years, 8 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/) * Hi everybody, * I encounter the strange problem, that standard users can access the Events Manager’s settings page via the dashboard menu “Events Manager -> Settings” and can actually modify the settings there. To me this is an unacceptable security risk: [](http://imageshack.us/photo/my-images/203/kod0.png/) * Can anybody reproduce this problem? * [http://wordpress.org/plugins/events-manager/](http://wordpress.org/plugins/events-manager/) Viewing 8 replies - 1 through 8 (of 8 total) * [caimin_nwl](https://wordpress.org/support/users/caimin_nwl/) * (@caimin_nwl) * [12 years, 8 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4222965) * Hi, * Is this a multisite install or a single site setup? * What level of user does this apply to? * Thanks. * Plugin Support [angelo_nwl](https://wordpress.org/support/users/angelo_nwl/) * (@angelo_nwl) * [12 years, 8 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223045) * hi, * have you tried user capabilities at Events > Settings > General > User Capabilities? also, are those users has subscriber role and have you tried disabling other plugins? * Thread Starter [coNQP](https://wordpress.org/support/users/conqp/) * (@conqp) * [12 years, 8 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223113) * I am using a single-site installation. The respective users have these capabilities( using the “User Role Editor”): [http://imageshack.us/photo/my-images/38/g6zr.png/](http://imageshack.us/photo/my-images/38/g6zr.png/) Respectively those capabilities within the Events Manager’s settings: [http://imageshack.us/photo/my-images/844/6lxx.png/](http://imageshack.us/photo/my-images/844/6lxx.png/) * Yet those users, having the role “Corpsbruder” can all access and modify the Event Calendar’s settings as shown in my first post. * Tanks for any further hints * Thread Starter [coNQP](https://wordpress.org/support/users/conqp/) * (@conqp) * [12 years, 8 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223114) * Update: I just figured out, that the issue is connected to the “list_users” permission within the “User Role Editor”. If it is set, the issue occures; if not, it doesn’t. Why is this? :-\ * [Philip John](https://wordpress.org/support/users/philipjohn/) * (@philipjohn) * [12 years, 8 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223115) * Hiya, * EM doesn’t use the list_users permission at all so it doesn’t make sense that granting that permission would allow users to access the settings. * Is the “Corpsbruder” role a new role that you’ve created, or one of the standard roles? * Thanks, Phil * Plugin Author [Marcus (aka @msykes)](https://wordpress.org/support/users/netweblogic/) * (@netweblogic) * [12 years, 8 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223119) * list_users is something admins are able to do which also works with MultiSite, so that’s the permission we use rather than activate_plugins. * I replied to someone with the same problem a few days ago, but unfortunately I can’t find it…. basically you can hook into WP, remove our menu item and re- add it with the right capability, see admin/em-admin.php for how we add ours. * [Ilia Tyker](https://wordpress.org/support/users/joanne123/) * (@joanne123) * [12 years, 1 month ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223181) * Same problem here. Our membership is managed by quite non-technical people who do not have any editing privileges. We want to keep the interface as simple as possible for them. * “hook into WP, remove our menu item and re-add it with the right capability” seems like a lot of added complication for something that should be quite simple. I prefer not to do that — we already have too many tweaks that are a mess to maintain and slow the site down. * Is there no other capability than “list_users” that could be used to test for admin status? That sounds like a defect in wordpress. * [renfrei](https://wordpress.org/support/users/renfrei/) * (@renfrei) * [11 years, 11 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223182) * Same problem here. In my opinion this is not a solution not even close to one. thanks for reopen Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘Normal users can modify settings’ is closed to new replies. * ![](https://ps.w.org/events-manager/assets/icon-256x256.png?rev=3550347) * [Events Manager - Calendar, Bookings, Tickets, and more!](https://wordpress.org/plugins/events-manager/) * [Frequently Asked Questions](https://wordpress.org/plugins/events-manager/#faq) * [Support Threads](https://wordpress.org/support/plugin/events-manager/) * [Active Topics](https://wordpress.org/support/plugin/events-manager/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/events-manager/unresolved/) * [Reviews](https://wordpress.org/support/plugin/events-manager/reviews/) * 8 replies * 7 participants * Last reply from: [renfrei](https://wordpress.org/support/users/renfrei/) * Last activity: [11 years, 11 months ago](https://wordpress.org/support/topic/normal-users-can-modify-settings/#post-4223182) * Status: resolved