Two roles in conflict: one allows to edit, the other does not allow

  • markussss

    (@markussss)


    2 years ago

    Hi,

    I just noticed when a user has two (or more) roles, there is a conflict.

    e.g.
    Editor has role to edit own and others’ pages
    GiveWP Manager does not have the role to edit others’ pages

    If the user has both roles, there is a conflict.

    The result: restriction is stronger than permission, so the user with both roles cannot edit pages (except for the own pages)

    2022-04-09_09-42-28.png
    2022-04-09_09-42-44.png
    2022-04-09_09-43-05.png

    I assume this is meant to be this way, right?
    It’s a permission scheme and design issue overall

    Interested on your take

    Thanks in advance

    Markus

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Vladimir Garagulya

    (@shinephp)

    2 years ago

    Hi Markus,

    User Role Editor (URE) supports/realizes WordPress default scheme of work with user capabilities and user roles. All WordPress built-in roles has user capabilities only with boolean true. That is every role contains only capabilities granted/permitted for this role. If you see the not checked (empty) capability checkbox at the URE – it means that this capability is not granted to the currently selected role.

    Thus, if user has 2 roles, role A (cap1, cap2) and role B (cap 3), the resulting permissions for such user will be the sum of capabilities from the both roles: cap1, cap2, cap3. All missed capabilities are not granted/permitted, but not prohibited to such user. You can not apparently prohibit capability via URE user interface.

    Though there is Members plugin which allows deny capability for role or user.

    Thread Starter markussss

    (@markussss)

    2 years ago

    Lets stick to the example where the user has 2 roles

    (capabilities for better illustration)

    role A: edit page, edit post, edit events
    role B: edit post, edit events

    According to your explanation, that would mean the user with role A and role B is able to edit a page.

    But that is exactly what is not working.


    In my real example above (screenshots) it’s not about edit_page, but about edit_others_pages

    Obviously, edit_others_pages does not work. Even though the user has this capability with one role. But it is missing this capability on another role.

    Either I did not understand it, or something is wrong

    Interested what you think about it

    Plugin Author Vladimir Garagulya

    (@shinephp)

    2 years ago

    Thank you for explanation. It should work as my experience says. Some another plugin or additional code (may be in functions.php) may be involved. Can you test with all plugins deactivated temporally?

    Thread Starter markussss

    (@markussss)

    2 years ago

    Sorry for my late response – just tested it and can confirm it still does not work how you expected it to work.

    So the scenario stays the same as previously described.

    I am just not sure if this is an issue or works as designed.

    The capabilities are given to a user/role.
    It’s possible to not give a capability by not checking it.

    If there was an option to prohibit/forbid a specific capability, then it would make sense. When one role allows something, while the other prohibits something. The prohibition is stronger.

    But I thought WordPress does not work this way, as you can only tick or untick a capability, hence I am confused about this.

    In my particular case, it’s not important. It’s a tiny project, I could just workaround it … but overall, it would be interesting to know how this works.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Two roles in conflict: one allows to edit, the other does not allow’ is closed to new replies.