Hi @eliasgdj,
If they see the plugin then they have the view_admin_as capability (since you mention they are not admins).
Please use the Role Manager to check if that capability is checked for their role.
User levels are not used anymore in WP so that won’t matter.
I do however use the editable_roles roles filter from WP to filter out any roles that a non-admin user shouldn’t be able to use.
I feel like there might be a compatibility issue with that filter. Or maybe something is conflicting with the checks if a user has access or not (I’m using WP core’s current_user_can() functions for validating capabilities.
What other plugins do you have installed?
Thanks, Jory
Hi @eliasgdj,
Waiting for your reply! 🙂
Thanks, Jory
Thread Starter
Elías
(@eliasgdj)
What Role Manager? From the View Admin As? I have it deactivated! I don’t want the employees to become admins!
Ok, I’ve activated it just a few seconds. Is this what you want?
View post on imgur.com
I have 25 active plugins in this project.
Hi @eliasgdj,
That won’t be possible. The role manager from VAA only allows modifying a role, not assigning it.
But in any case. If your users have access to this plugin then there is a conflict. Most likely with an other plugin.
Can you please check the following:
– Go to settings and enable the role manager.
– Go to “Capabilities” (or “Capacidaded”) like in your screenshot. Open the role manager item and select the “Empleado” role. After doing this, is the “view_admin_as” capability checked?
– If so, uncheck it and save the role. Users with that role should not have access to this plugin anymore.
If this doesn’t work it’s a conflict with a plugin.
In that case it’s best to deactivate all plugins except VAA and activating them one by one. After enabling each plugin, please check if the user has access or not, if it does, the last enabled plugin is most likely the cause.
If you can’t figure it out I can also take a look if you want. In that case, please add a user with the email address “info@keraweb.nl” so I can log in and take a look. You can delete my account afterwards.
Do not share any login credentials here!
Thanks and let me know!
Regards, Jory
Thread Starter
Elías
(@eliasgdj)
That won’t be possible. The role manager from VAA only allows modifying a role, not assigning it.
What you mean? I don’t want to do anything. BTW, I manage Roles with Capability Manager Enhanced (where that permission doesn’t appear).
The ‘Empleado’ role does not have that capability: https://imgur.com/a/1TfyP
I can’t currently deactivate plugins on this site.
I just wanted to have a easy way to see the website as Empleado without login out. I’ll use a browser profile to do that.
Maybe if you want I could clone the site in Local to do some tests for you.
What you mean? I don’t want to do anything. BTW, I manage Roles with Capability Manager Enhanced (where that permission doesn’t appear).
The Role Manager from this plugin does the same as Capability Manager Enhanced. It allows you to change the capabilities assigned to a role.
I can’t currently deactivate plugins on this site.
I just wanted to have a easy way to see the website as Empleado without login out. I’ll use a browser profile to do that.
Maybe if you want I could clone the site in Local to do some tests for you.
Understandable.
A clone would be perfect to test with. Let me know when I can take a look, very curious what could cause this.
Thanks, Jory
Hi @eliasgdj,
Did you manage to create a test site? I’d really like to see what could cause this issue.
Thanks, Jory
Thread Starter
Elías
(@eliasgdj)
Hi, how can I give you URL and login? And what capabilities do you need?
Hi @eliasgdj,
Thanks for your reply!
I’m going to need full access in order to see all possible issues. That way I can also see if other plugins might be the cause to this and maybe replicate your installation to check it locally.
Please do not share any login credentials here but contact me personally on Slack (keraweb.slack.com) or e-mail (info@keraweb.nl).
Thanks! Jory
For other readers, this issue was solved locally.
The problem was as following:
The “Empleado” role was grated the delete_users capability which in turn triggers the “super admin” status within WordPress.
View Admin As checks for super admins and in turn grants them full access. Anyone should always be very carefull with granting other roles the delete_users capability since this could cause loopholes in security when not handled properly!
The next version (v1.7.6) will be enhanced with a check for two more capabilities besides is_super_admin() (or in single installation respectively delete_users) before granting a user full access to all View Admin As features:
edit_usersedit_plugins (default for the administrator role and allows editing this plugin from within WP. Seems like a logical choice to allow full access)
For more information: https://github.com/JoryHogeveen/view-admin-as/pull/85
Thanks to @eliasgdj for reporting this edge case.
Cheers, Jory
