WordPress Auto-Editing/Reverting Roles

Greetings,

I’ve been struggling with what seems to be a new WordPress feature (or unintended feature we call a bug).

I had a plugin installed with a custom role, for this case let’s call it plugin_client. The plugin I use relies on the read attribute to fully work. About 2 weeks ago after a WordPress update, people assigned to the plugin_client role were unable to properly view things the plugin provided.

After a deep dive into the database and code, I suspected it was a permissions issue and went to look at the role itself by installing a role manager. I noticed that the read attribute had been removed from the plugin_client role and even some other roles.

I was able to use a role manager to add back the read attribute and for a brief period, a test client could see all of the plugin assets without issue. However, as soon as an admin loaded any page in /wp-admin/ or as soon as the wp-cron.php fired off, it simply stopped working again and when I went to check the roles, read was gone.

I suspected, at first that it was a plugin, so I uninstalled all plugins (and deleting them) and then manually editing the role in the database. I was going to go through the steps to re-add back one plugin at the time until I found the right one and then just grep 'read' /plugins/* and start from there. To my surprise, I found that WordPress, by itself, for some reason was REMOVING the read attribute from ANY permissions except admin.

I’ve also tried deleting the role and re-adding it with and without plugins installed and I constantly get the same result.

I completely reset the permissions back to a fresh WordPress install. Again, the exact same result confirming my new suspicion that this was a core issue.

I’m not sure what part of the WP Core is doing this, I’ve really dived through the codex to find something that might do this and can’t find it. I’ve also tried to search the core code of WordPress as well with absolute failure.

I’ve tried to add a plugin that looks like this:

add_action( 'admin_init', 'fix_myplguin_caps' );
function fix_myplguin_caps() {
  $role = 'plugin_client';
  $cap = 'read';
  $role = get_role( $role );
  $role->add_cap( $cap );
}

Again, the WP Core removes the capability after admin_init because this does nothing.

Does anyone know where this is coming from and where I can start to build a little drop-in plugin to stop WordPress from doing this without breaking anything vital? If anyone can find this in the core, I can use a filter to hook in and fix it and I’ll be more than happy to post the fix here.

I appreciate any attention or help that can be provided.

Edit: I was able to fix this by changing the above code snippet to:

add_action( 'admin_init', 'fix_myplguin_caps', 9999999 );
function fix_myplguin_caps() {
  $role = 'plugin_client';
  $cap = 'read';
  $role = get_role( $role );
  $role->add_cap( $cap );
}

This is not really a fix, it’s a bandaid. I’m hoping someone can propose a real solution here.

• This topic was modified 6 years, 3 months ago by leewells.
• This topic was modified 6 years, 3 months ago by leewells.
• This topic was modified 6 years, 3 months ago by leewells.
• This topic was modified 6 years, 3 months ago by leewells.
• This topic was modified 6 years, 3 months ago by leewells.