User Role Editor - Version 4.20

Version Description

Download this release

Release Info

Developer shinephp
Plugin Icon 128x128 User Role Editor
Version 4.20
Comparing to
See all releases

Code changes from version 4.19.3 to 4.20

Files changed (10) hide show
  1. includes/class-advertisement.php +2 -24
  2. includes/class-protect-admin.php +181 -0
  3. includes/class-role-additional-options.php +134 -0
  4. includes/class-ure-lib.php +30 -5
  5. includes/class-user-role-editor.php +57 -167
  6. includes/misc-support-stuff.php +11 -1
  7. includes/ure-role-edit.php +5 -3
  8. readme.txt +7 -2
  9. uninstall.php +2 -0
  10. user-role-editor.php +4 -2
includes/class-advertisement.php CHANGED
@@ -18,13 +18,7 @@ class ure_Advertisement {
18
  $index = $this->rand_unique( $used );
19
  $this->slots[$index] = $this->admin_menu_editor();
20
  $used[] = $index;
21
-
22
- if ( date('Y-m-d') < date('Y-m-d', strtotime('2015-11-03')) ) {
23
- $index = $this->rand_unique( $used );
24
- $this->slots[$index] = $this->manage_wp();
25
- $used[] = $index;
26
- }
27
-
28
  $index = $this->rand_unique( $used );
29
  $this->slots[$index] = $this->wp_esignature();
30
  $used[] = $index;
@@ -65,23 +59,7 @@ class ure_Advertisement {
65
  return $output;
66
  }
67
  // end of admin_menu_editor()
68
-
69
-
70
- // content of Manage WP advertisement slot
71
- private function manage_wp() {
72
-
73
- $output = '
74
- <div style="text-align: center;">
75
- <a title="ManageWP" href="http://managewp.com/?utm_source=user_role_editor&utm_medium=Banner&utm_content=mwp250_2&utm_campaign=Plugins" target="_new" >
76
- <img width="250" height="250" alt="ManageWP" src="'. URE_PLUGIN_URL .'images/mwp250_2.png">
77
- </a>
78
- </div>
79
- ';
80
-
81
- return $output;
82
- }
83
- // end of manage_wp()
84
-
85
 
86
  // content of WP eSignature advertisement slot
87
  private function wp_esignature() {
18
  $index = $this->rand_unique( $used );
19
  $this->slots[$index] = $this->admin_menu_editor();
20
  $used[] = $index;
21
+
 
 
 
 
 
 
22
  $index = $this->rand_unique( $used );
23
  $this->slots[$index] = $this->wp_esignature();
24
  $used[] = $index;
59
  return $output;
60
  }
61
  // end of admin_menu_editor()
62
+
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
63
 
64
  // content of WP eSignature advertisement slot
65
  private function wp_esignature() {
includes/class-protect-admin.php ADDED
@@ -0,0 +1,181 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ /*
4
+ * Main class of User Role Editor WordPress plugin
5
+ * Author: Vladimir Garagulya
6
+ * Author email: support@role-editor.com
7
+ * Author URI: https://www.role-editor.com
8
+ * License: GPL v2+
9
+ *
10
+ */
11
+
12
+ class URE_Protect_Admin {
13
+
14
+ private $lib = null;
15
+ private $user_to_check = null; // cached list of user IDs, who has Administrator role
16
+
17
+ public function __construct($lib) {
18
+ $this->lib = $lib;
19
+ $this->user_to_check = array();
20
+
21
+ // Exclude administrator role from edit list.
22
+ add_filter('editable_roles', array($this, 'exclude_admin_role'));
23
+ // prohibit any actions with user who has Administrator role
24
+ add_filter('user_has_cap', array($this, 'not_edit_admin'), 10, 3);
25
+ // exclude users with 'Administrator' role from users list
26
+ add_action('pre_user_query', array($this, 'exclude_administrators'));
27
+ // do not show 'Administrator (s)' view above users list
28
+ add_filter('views_users', array($this, 'exclude_admins_view'));
29
+ }
30
+ // end of __construct()
31
+
32
+
33
+ /**
34
+ * exclude administrator role from the roles list
35
+ *
36
+ * @param string $roles
37
+ * @return array
38
+ */
39
+ public function exclude_admin_role($roles) {
40
+
41
+ if (isset($roles['administrator'])) {
42
+ unset($roles['administrator']);
43
+ }
44
+
45
+ return $roles;
46
+ }
47
+ // end of exclude_admin_role()
48
+
49
+
50
+ /**
51
+ * Check if user has "Administrator" role assigned
52
+ *
53
+ * @global wpdb $wpdb
54
+ * @param int $user_id
55
+ * @return boolean returns true is user has Role "Administrator"
56
+ */
57
+ private function has_administrator_role($user_id) {
58
+ global $wpdb;
59
+
60
+ if (empty($user_id) || !is_numeric($user_id)) {
61
+ return false;
62
+ }
63
+
64
+ $table_name = $this->lib->get_usermeta_table_name();
65
+ $meta_key = $wpdb->prefix . 'capabilities';
66
+ $query = "SELECT count(*)
67
+ FROM $table_name
68
+ WHERE user_id=$user_id AND meta_key='$meta_key' AND meta_value like '%administrator%'";
69
+ $has_admin_role = $wpdb->get_var($query);
70
+ if ($has_admin_role > 0) {
71
+ $result = true;
72
+ } else {
73
+ $result = false;
74
+ }
75
+ // cache checking result for the future use
76
+ $this->user_to_check[$user_id] = $result;
77
+
78
+ return $result;
79
+ }
80
+
81
+ // end of has_administrator_role()
82
+
83
+
84
+ /**
85
+ * We have two vulnerable queries with user id at admin interface, which should be processed
86
+ * 1st: http://blogdomain.com/wp-admin/user-edit.php?user_id=ID&wp_http_referer=%2Fwp-admin%2Fusers.php
87
+ * 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
88
+ * If put Administrator user ID into such request, user with lower capabilities (if he has 'edit_users')
89
+ * can edit, delete admin record
90
+ * This function removes 'edit_users' capability from current user capabilities
91
+ * if request has admin user ID in it
92
+ *
93
+ * @param array $allcaps
94
+ * @param type $caps
95
+ * @param string $name
96
+ * @return array
97
+ */
98
+ public function not_edit_admin($allcaps, $caps, $name) {
99
+
100
+ $user_keys = array('user_id', 'user');
101
+ foreach ($user_keys as $user_key) {
102
+ $access_deny = false;
103
+ $user_id = $this->lib->get_request_var($user_key, 'get');
104
+ if (empty($user_id)) {
105
+ break;
106
+ }
107
+ if ($user_id == 1) { // built-in WordPress Admin
108
+ $access_deny = true;
109
+ } else {
110
+ if (!isset($this->user_to_check[$user_id])) {
111
+ // check if user_id has Administrator role
112
+ $access_deny = $this->has_administrator_role($user_id);
113
+ } else {
114
+ // user_id was checked already, get result from cash
115
+ $access_deny = $this->user_to_check[$user_id];
116
+ }
117
+ }
118
+ if ($access_deny) {
119
+ unset($allcaps['edit_users']);
120
+ }
121
+ break;
122
+ }
123
+
124
+ return $allcaps;
125
+ }
126
+ // end of not_edit_admin()
127
+
128
+
129
+ /**
130
+ * add where criteria to exclude users with 'Administrator' role from users list
131
+ *
132
+ * @global wpdb $wpdb
133
+ * @param type $user_query
134
+ */
135
+ public function exclude_administrators($user_query) {
136
+
137
+ global $wpdb;
138
+
139
+ $result = false;
140
+ $links_to_block = array('profile.php', 'users.php');
141
+ foreach ($links_to_block as $key => $value) {
142
+ $result = stripos($_SERVER['REQUEST_URI'], $value);
143
+ if ($result !== false) {
144
+ break;
145
+ }
146
+ }
147
+
148
+ if ($result === false) { // block the user edit stuff only
149
+ return;
150
+ }
151
+
152
+ // get user_id of users with 'Administrator' role
153
+ $tableName = $this->lib->get_usermeta_table_name();
154
+ $meta_key = $wpdb->prefix . 'capabilities';
155
+ $admin_role_key = '%"administrator"%';
156
+ $query = "select user_id
157
+ from $tableName
158
+ where meta_key='$meta_key' and meta_value like '$admin_role_key'";
159
+ $ids_arr = $wpdb->get_col($query);
160
+ if (is_array($ids_arr) && count($ids_arr) > 0) {
161
+ $ids = implode(',', $ids_arr);
162
+ $user_query->query_where .= " AND ( $wpdb->users.ID NOT IN ( $ids ) )";
163
+ }
164
+ }
165
+ // end of exclude_administrators()
166
+
167
+
168
+ /*
169
+ * Exclude view of users with Administrator role
170
+ *
171
+ */
172
+ public function exclude_admins_view($views) {
173
+
174
+ unset($views['administrator']);
175
+
176
+ return $views;
177
+ }
178
+ // end of exclude_admins_view()
179
+
180
+ }
181
+ // end of URE_Protect_Admin class
includes/class-role-additional-options.php ADDED
@@ -0,0 +1,134 @@
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
+ <?php
2
+
3
+ class URE_Role_Additional_Options {
4
+
5
+ private static $instance = null;
6
+ private $lib = null;
7
+ private $items = null;
8
+ private $active_items = null;
9
+ const STORAGE_ID = 'ure_role_additional_options_values';
10
+
11
+ public function __construct($lib) {
12
+
13
+ $this->lib = $lib;
14
+ $this->init();
15
+ }
16
+ // end of __construct()
17
+
18
+
19
+ public static function get_instance($lib) {
20
+
21
+ if (self::$instance===null) {
22
+ self::$instance = new URE_Role_Additional_Options($lib);
23
+ }
24
+
25
+ return self::$instance;
26
+ }
27
+ // end of get_instance()
28
+
29
+
30
+ public static function create_item($id, $label, $hook, $routine) {
31
+ $item = new stdClass();
32
+ $item->id = $id;
33
+ $item->label = $label;
34
+ $item->hook = $hook;
35
+ $item->routine = $routine;
36
+
37
+ return $item;
38
+ }
39
+ // end of create_item()
40
+
41
+
42
+ public static function get_active_items() {
43
+
44
+ $items = get_option(self::STORAGE_ID, array());
45
+
46
+ return $items;
47
+ }
48
+
49
+
50
+ private function init() {
51
+
52
+ $this->items = array();
53
+ $item = self::create_item('hide_admin_bar', esc_html__('Hide admin bar', 'user-role-editor'), 'init', 'ure_hide_admin_bar');
54
+ $this->items[$item->id] = $item;
55
+
56
+ // Allow other developers to modify the list of role's additonal options
57
+ $this->items = apply_filters('ure_role_additional_options', $this->items);
58
+
59
+ $this->active_items = self::get_active_items();
60
+ }
61
+ // end of init()
62
+
63
+
64
+ public function set_active_items_hooks() {
65
+ global $current_user;
66
+
67
+ if (current_user_can('ure_edit_roles')) {
68
+ return;
69
+ }
70
+
71
+ foreach($current_user->roles as $role) {
72
+ if (!isset($this->active_items[$role])) {
73
+ continue;
74
+ }
75
+ foreach(array_keys($this->active_items[$role]) as $item_id) {
76
+ add_action($this->items[$item_id]->hook, $this->items[$item_id]->routine);
77
+ }
78
+ }
79
+
80
+ }
81
+ // end of set_active_items_hooks()
82
+
83
+
84
+ public function save($current_role) {
85
+ $this->active_items = self::get_active_items();
86
+ $this->active_items[$current_role] = array();
87
+ foreach($this->items as $item) {
88
+ if (isset($_POST[$item->id])) {
89
+ $this->active_items[$current_role][$item->id] = 1;
90
+ }
91
+ }
92
+ update_option(self::STORAGE_ID, $this->active_items);
93
+
94
+ }
95
+ // end of save()
96
+
97
+
98
+ public function show($current_role) {
99
+
100
+ ?>
101
+
102
+ <hr />
103
+ <?php echo esc_html__('Additional Options', 'user-role-editor');?>:
104
+ <table class="form-table" style="clear:none;" cellpadding="0" cellspacing="0">
105
+ <tr>
106
+ <td>
107
+
108
+ <?php
109
+ $first_time = true;
110
+ foreach($this->items as $item) {
111
+ $checked = (isset($this->active_items[$current_role]) &&
112
+ isset($this->active_items[$current_role][$item->id])) ? 'checked="checked"' : '';
113
+ if (!$first_time) {
114
+ ?>
115
+ <br/>
116
+ <?php
117
+ }
118
+ ?>
119
+ <input type="checkbox" name="<?php echo $item->id;?>" id="<?php echo $item->id;?>" value="<?php echo $item->id;?>" <?php echo $checked;?> >
120
+ <label for="<?php echo $item->id;?>"><?php echo $item->label;?></label>
121
+ <?php
122
+ $first_time = false;
123
+ }
124
+ ?>
125
+ </td>
126
+ <td></td>
127
+ </tr>
128
+ </table>
129
+ <?php
130
+ }
131
+ // end of show()
132
+
133
+ }
134
+ // end of URE_Role_Additional_Options class
includes/class-ure-lib.php CHANGED
@@ -16,7 +16,7 @@ class Ure_Lib extends Garvs_WP_Lib {
16
  public $roles = null;
17
  public $notification = ''; // notification message to show on page
18
  public $apply_to_all = 0;
19
- public $user_to_check = array(); // cached list of user IDs, who has Administrator role
20
 
21
  protected $capabilities_to_save = null;
22
  protected $current_role = '';
@@ -34,6 +34,7 @@ class Ure_Lib extends Garvs_WP_Lib {
34
  protected $role_delete_html = '';
35
  protected $capability_remove_html = '';
36
  protected $advert = null;
 
37
 
38
  // when allow_edit_users_to_not_super_admin option is turned ON, we set this property to true
39
  // when we raise single site admin permissions up to the superadmin for the 'Add new user' new-user.php page
@@ -309,13 +310,17 @@ class Ure_Lib extends Garvs_WP_Lib {
309
  </div>
310
  </div>
311
 
312
-
 
 
313
  <div id="ure_default_role_dialog" class="ure-modal-dialog">
314
  <div style="padding:10px;">
315
  <?php echo $this->role_default_html; ?>
316
  </div>
317
  </div>
318
-
 
 
319
 
320
  <div id="ure_delete_capability_dialog" class="ure-modal-dialog">
321
  <div style="padding:10px;">
@@ -571,7 +576,7 @@ class Ure_Lib extends Garvs_WP_Lib {
571
  $this->notification = $this->init_current_role_name();
572
  }
573
  $this->prepare_capabilities_to_save();
574
- $this->notification = $this->permissions_object_update($this->notification);
575
  } else {
576
  do_action('ure_process_user_request');
577
  } // if ($action
@@ -637,7 +642,10 @@ class Ure_Lib extends Garvs_WP_Lib {
637
  }
638
 
639
  $this->init_full_capabilities();
640
-
 
 
 
641
  if (!$this->is_pro()) {
642
  require_once(URE_PLUGIN_DIR . 'includes/class-advertisement.php');
643
  }
@@ -1337,10 +1345,14 @@ class Ure_Lib extends Garvs_WP_Lib {
1337
  <button id="ure_delete_capability" class="ure_toolbar_button">Delete Capability</button>
1338
  <?php
1339
  }
 
1340
  ?>
1341
  <hr />
1342
  <button id="ure_default_role" class="ure_toolbar_button">Default Role</button>
1343
  <hr />
 
 
 
1344
  <div id="ure_service_tools">
1345
  <?php
1346
  do_action('ure_role_edit_toolbar_service');
@@ -1786,6 +1798,12 @@ class Ure_Lib extends Garvs_WP_Lib {
1786
 
1787
  update_option($option_name, $this->roles);
1788
 
 
 
 
 
 
 
1789
  return true;
1790
  }
1791
  // end of save_roles()
@@ -2170,6 +2188,9 @@ class Ure_Lib extends Garvs_WP_Lib {
2170
  protected function change_default_role() {
2171
  global $wp_roles;
2172
 
 
 
 
2173
  $mess = '';
2174
  if (!isset($wp_roles)) {
2175
  $wp_roles = new WP_Roles();
@@ -2569,6 +2590,10 @@ class Ure_Lib extends Garvs_WP_Lib {
2569
 
2570
  private function role_default_prepare_html($select_width=200) {
2571
 
 
 
 
 
2572
  $caps_access_restrict_for_simple_admin = $this->get_option('caps_access_restrict_for_simple_admin', 0);
2573
  $show_admin_role = $this->show_admin_role_allowed();
2574
  if ($select_width>0) {
16
  public $roles = null;
17
  public $notification = ''; // notification message to show on page
18
  public $apply_to_all = 0;
19
+
20
 
21
  protected $capabilities_to_save = null;
22
  protected $current_role = '';
34
  protected $role_delete_html = '';
35
  protected $capability_remove_html = '';
36
  protected $advert = null;
37
+ protected $role_additional_options = null;
38
 
39
  // when allow_edit_users_to_not_super_admin option is turned ON, we set this property to true
40
  // when we raise single site admin permissions up to the superadmin for the 'Add new user' new-user.php page
310
  </div>
311
  </div>
312
 
313
+ <?php
314
+ if ($this->multisite && !is_network_admin()) {
315
+ ?>
316
  <div id="ure_default_role_dialog" class="ure-modal-dialog">
317
  <div style="padding:10px;">
318
  <?php echo $this->role_default_html; ?>
319
  </div>
320
  </div>
321
+ <?php
322
+ }
323
+ ?>
324
 
325
  <div id="ure_delete_capability_dialog" class="ure-modal-dialog">
326
  <div style="padding:10px;">
576
  $this->notification = $this->init_current_role_name();
577
  }
578
  $this->prepare_capabilities_to_save();
579
+ $this->notification = $this->permissions_object_update($this->notification);
580
  } else {
581
  do_action('ure_process_user_request');
582
  } // if ($action
642
  }
643
 
644
  $this->init_full_capabilities();
645
+ if (empty($this->role_additional_options)) {
646
+ $this->role_additional_options = URE_Role_Additional_Options::get_instance($this);
647
+ }
648
+
649
  if (!$this->is_pro()) {
650
  require_once(URE_PLUGIN_DIR . 'includes/class-advertisement.php');
651
  }
1345
  <button id="ure_delete_capability" class="ure_toolbar_button">Delete Capability</button>
1346
  <?php
1347
  }
1348
+ if ($this->multisite && !is_network_admin()) { // Show for single site for WP multisite only
1349
  ?>
1350
  <hr />
1351
  <button id="ure_default_role" class="ure_toolbar_button">Default Role</button>
1352
  <hr />
1353
+ <?php
1354
+ }
1355
+ ?>
1356
  <div id="ure_service_tools">
1357
  <?php
1358
  do_action('ure_role_edit_toolbar_service');
1798
 
1799
  update_option($option_name, $this->roles);
1800
 
1801
+ // save additional options for the current role
1802
+ if (empty($this->role_additional_options)) {
1803
+ $this->role_additional_options = URE_Role_Additional_Options::get_instance($this);
1804
+ }
1805
+ $this->role_additional_options->save($this->current_role);
1806
+
1807
  return true;
1808
  }
1809
  // end of save_roles()
2188
  protected function change_default_role() {
2189
  global $wp_roles;
2190
 
2191
+ if (!$this->multisite || is_network_admin()) {
2192
+ return 'Try to misuse the plugin functionality';
2193
+ }
2194
  $mess = '';
2195
  if (!isset($wp_roles)) {
2196
  $wp_roles = new WP_Roles();
2590
 
2591
  private function role_default_prepare_html($select_width=200) {
2592
 
2593
+ if (!$this->multisite || is_network_admin()) {
2594
+ return;
2595
+ }
2596
+
2597
  $caps_access_restrict_for_simple_admin = $this->get_option('caps_access_restrict_for_simple_admin', 0);
2598
  $show_admin_role = $this->show_admin_role_allowed();
2599
  if ($select_width>0) {
includes/class-user-role-editor.php CHANGED
@@ -6,7 +6,7 @@
6
  * Author URI: https://www.role-editor.com
7
  * License: GPL v2+
8
  *
9
- */
10
 
11
  class User_Role_Editor {
12
  // plugin specific library object: common code stuff, including options data processor
@@ -52,6 +52,9 @@ class User_Role_Editor {
52
  add_action( 'wpmu_new_blog', array($this, 'duplicate_roles_for_new_blog'), 10, 2);
53
  }
54
 
 
 
 
55
  if (!is_admin()) {
56
  return;
57
  }
@@ -73,7 +76,7 @@ class User_Role_Editor {
73
  // add a Settings link in the installed plugins page
74
  add_filter('plugin_action_links_'. URE_PLUGIN_BASE_NAME, array($this, 'plugin_action_links'), 10, 1);
75
  add_filter('plugin_row_meta', array($this, 'plugin_row_meta'), 10, 2);
76
-
77
  }
78
  // end of __construct()
79
 
@@ -89,65 +92,57 @@ class User_Role_Editor {
89
  // end of is_pro()
90
 
91
 
92
- /**
93
- * Plugin initialization
94
- *
95
- */
96
- public function plugin_init() {
97
 
98
- global $current_user, $pagenow;
99
 
100
- if (!empty($current_user->ID)) {
101
- $user_id = $current_user->ID;
102
- } else {
103
- $user_id = 0;
104
- }
105
 
106
- $supress_protection = apply_filters('ure_supress_administrators_protection', false);
107
- // these filters and actions should prevent editing users with administrator role
108
- // by other users with 'edit_users' capability
109
- if (!$supress_protection && !$this->lib->user_is_admin($user_id)) {
110
- // Exclude administrator role from edit list.
111
- add_filter('editable_roles', array($this, 'exclude_admin_role' ) );
112
- // prohibit any actions with user who has Administrator role
113
- add_filter('user_has_cap', array($this, 'not_edit_admin' ), 10, 3);
114
- // exclude users with 'Administrator' role from users list
115
- add_action('pre_user_query', array($this, 'exclude_administrators' ) );
116
- // do not show 'Administrator (s)' view above users list
117
- add_filter('views_users', array($this, 'exclude_admins_view' ) );
118
- }
119
-
120
- add_action( 'admin_enqueue_scripts', array($this, 'admin_load_js' ) );
121
- add_action( 'user_row_actions', array($this, 'user_row'), 10, 2 );
122
- add_filter( 'all_plugins', array($this, 'exclude_from_plugins_list' ) );
123
-
124
- if ($this->lib->multisite) {
125
- $allow_edit_users_to_not_super_admin = $this->lib->get_option('allow_edit_users_to_not_super_admin', 0);
126
- if ($allow_edit_users_to_not_super_admin) {
127
- add_filter( 'map_meta_cap', array($this, 'restore_users_edit_caps'), 1, 4 );
128
- remove_all_filters( 'enable_edit_any_user_configuration' );
129
- add_filter( 'enable_edit_any_user_configuration', '__return_true');
130
- add_filter( 'admin_head', array($this, 'edit_user_permission_check'), 1, 4 );
131
- if ($pagenow=='user-new.php') {
132
- add_filter( 'site_option_site_admins', array($this, 'allow_add_user_as_superadmin') );
133
- }
134
  }
135
- } else {
136
- $count_users_without_role = $this->lib->get_option('count_users_without_role', 0);
137
- if ($count_users_without_role) {
138
- add_action( 'restrict_manage_users', array($this, 'move_users_from_no_role_button') );
139
- add_action( 'admin_init', array($this, 'add_css_to_users_page'));
140
- add_action( 'admin_footer', array($this, 'add_js_to_users_page') );
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
141
  }
 
 
142
  }
 
143
 
144
- add_action('wp_ajax_ure_ajax', array($this, 'ure_ajax'));
145
 
146
- }
147
- // end of plugin_init()
148
-
149
-
150
- /**
151
  * Allow non-superadmin user to add/create users to the site as superadmin does.
152
  * Include current user to the list of superadmins - for the user-new.php page only, and
153
  * if user really can create_users and promote_users
@@ -306,120 +301,6 @@ class User_Role_Editor {
306
  }
307
  // end of edit_user_permission_check()
308
 
309
-
310
- /**
311
- * exclude administrator role from the roles list
312
- *
313
- * @param string $roles
314
- * @return array
315
- */
316
- public function exclude_admin_role($roles)
317
- {
318
-
319
- if (isset($roles['administrator'])) {
320
- unset($roles['administrator']);
321
- }
322
-
323
- return $roles;
324
- }
325
- // end of exclude_admin_role()
326
-
327
-
328
- /**
329
- * We have two vulnerable queries with user id at admin interface, which should be processed
330
- * 1st: http://blogdomain.com/wp-admin/user-edit.php?user_id=ID&wp_http_referer=%2Fwp-admin%2Fusers.php
331
- * 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
332
- * If put Administrator user ID into such request, user with lower capabilities (if he has 'edit_users')
333
- * can edit, delete admin record
334
- * This function removes 'edit_users' capability from current user capabilities
335
- * if request has admin user ID in it
336
- *
337
- * @param array $allcaps
338
- * @param type $caps
339
- * @param string $name
340
- * @return array
341
- */
342
- public function not_edit_admin($allcaps, $caps, $name) {
343
-
344
- $user_keys = array('user_id', 'user');
345
- foreach ($user_keys as $user_key) {
346
- $access_deny = false;
347
- $user_id = $this->lib->get_request_var($user_key, 'get');
348
- if (!empty($user_id)) {
349
- if ($user_id == 1) { // built-in WordPress Admin
350
- $access_deny = true;
351
- } else {
352
- if (!isset($this->lib->user_to_check[$user_id])) {
353
- // check if user_id has Administrator role
354
- $access_deny = $this->lib->has_administrator_role($user_id);
355
- } else {
356
- // user_id was checked already, get result from cash
357
- $access_deny = $this->lib->user_to_check[$user_id];
358
- }
359
- }
360
- if ($access_deny) {
361
- unset($allcaps['edit_users']);
362
- }
363
- break;
364
- }
365
- }
366
-
367
- return $allcaps;
368
- }
369
- // end of not_edit_admin()
370
-
371
-
372
- /**
373
- * add where criteria to exclude users with 'Administrator' role from users list
374
- *
375
- * @global wpdb $wpdb
376
- * @param type $user_query
377
- */
378
- public function exclude_administrators($user_query) {
379
-
380
- global $wpdb;
381
-
382
- $result = false;
383
- $links_to_block = array('profile.php', 'users.php');
384
- foreach ($links_to_block as $key => $value) {
385
- $result = stripos($_SERVER['REQUEST_URI'], $value);
386
- if ($result !== false) {
387
- break;
388
- }
389
- }
390
-
391
- if ($result === false) { // block the user edit stuff only
392
- return;
393
- }
394
-
395
- // get user_id of users with 'Administrator' role
396
- $tableName = (!$this->lib->multisite && defined('CUSTOM_USER_META_TABLE')) ? CUSTOM_USER_META_TABLE : $wpdb->usermeta;
397
- $meta_key = $wpdb->prefix . 'capabilities';
398
- $admin_role_key = '%"administrator"%';
399
- $query = "select user_id
400
- from $tableName
401
- where meta_key='$meta_key' and meta_value like '$admin_role_key'";
402
- $ids_arr = $wpdb->get_col($query);
403
- if (is_array($ids_arr) && count($ids_arr) > 0) {
404
- $ids = implode(',', $ids_arr);
405
- $user_query->query_where .= " AND ( $wpdb->users.ID NOT IN ( $ids ) )";
406
- }
407
- }
408
- // end of exclude_administrators()
409
-
410
-
411
- /*
412
- * Exclude view of users with Administrator role
413
- *
414
- */
415
- public function exclude_admins_view($views) {
416
-
417
- unset($views['administrator']);
418
-
419
- return $views;
420
- }
421
- // end of exclude_admins_view()
422
-
423
 
424
  /**
425
  * Add/hide edit actions for every user row at the users list
@@ -929,6 +810,15 @@ class User_Role_Editor {
929
 
930
  }
931
  // end of ure_ajax()
 
 
 
 
 
 
 
 
 
932
 
933
 
934
  // execute on plugin deactivation
6
  * Author URI: https://www.role-editor.com
7
  * License: GPL v2+
8
  *
9
+ */
10
 
11
  class User_Role_Editor {
12
  // plugin specific library object: common code stuff, including options data processor
52
  add_action( 'wpmu_new_blog', array($this, 'duplicate_roles_for_new_blog'), 10, 2);
53
  }
54
 
55
+ // setup additional options hooks for the roles
56
+ add_action('init', array($this, 'set_role_additional_options_hooks'), 9);
57
+
58
  if (!is_admin()) {
59
  return;
60
  }
76
  // add a Settings link in the installed plugins page
77
  add_filter('plugin_action_links_'. URE_PLUGIN_BASE_NAME, array($this, 'plugin_action_links'), 10, 1);
78
  add_filter('plugin_row_meta', array($this, 'plugin_row_meta'), 10, 2);
79
+
80
  }
81
  // end of __construct()
82
 
92
  // end of is_pro()
93
 
94
 
95
+ /**
96
+ * Plugin initialization
97
+ *
98
+ */
99
+ public function plugin_init() {
100
 
101
+ global $current_user, $pagenow;
102
 
103
+ if (!empty($current_user->ID)) {
104
+ $user_id = $current_user->ID;
105
+ } else {
106
+ $user_id = 0;
107
+ }
108
 
109
+ $supress_protection = apply_filters('ure_supress_administrators_protection', false);
110
+ // these filters and actions should prevent editing users with administrator role
111
+ // by other users with 'edit_users' capability
112
+ if (!$supress_protection && !$this->lib->user_is_admin($user_id)) {
113
+ new URE_Protect_Admin($this->lib);
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
114
  }
115
+
116
+ add_action('admin_enqueue_scripts', array($this, 'admin_load_js'));
117
+ add_action('user_row_actions', array($this, 'user_row'), 10, 2);
118
+ add_filter('all_plugins', array($this, 'exclude_from_plugins_list'));
119
+
120
+ if ($this->lib->multisite) {
121
+ $allow_edit_users_to_not_super_admin = $this->lib->get_option('allow_edit_users_to_not_super_admin', 0);
122
+ if ($allow_edit_users_to_not_super_admin) {
123
+ add_filter('map_meta_cap', array($this, 'restore_users_edit_caps'), 1, 4);
124
+ remove_all_filters('enable_edit_any_user_configuration');
125
+ add_filter('enable_edit_any_user_configuration', '__return_true');
126
+ add_filter('admin_head', array($this, 'edit_user_permission_check'), 1, 4);
127
+ if ($pagenow == 'user-new.php') {
128
+ add_filter('site_option_site_admins', array($this, 'allow_add_user_as_superadmin'));
129
+ }
130
+ }
131
+ } else {
132
+ $count_users_without_role = $this->lib->get_option('count_users_without_role', 0);
133
+ if ($count_users_without_role) {
134
+ add_action('restrict_manage_users', array($this, 'move_users_from_no_role_button'));
135
+ add_action('admin_init', array($this, 'add_css_to_users_page'));
136
+ add_action('admin_footer', array($this, 'add_js_to_users_page'));
137
+ }
138
  }
139
+
140
+ add_action('wp_ajax_ure_ajax', array($this, 'ure_ajax'));
141
  }
142
+ // end of plugin_init()
143
 
 
144
 
145
+ /**
 
 
 
 
146
  * Allow non-superadmin user to add/create users to the site as superadmin does.
147
  * Include current user to the list of superadmins - for the user-new.php page only, and
148
  * if user really can create_users and promote_users
301
  }
302
  // end of edit_user_permission_check()
303
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
304
 
305
  /**
306
  * Add/hide edit actions for every user row at the users list
810
 
811
  }
812
  // end of ure_ajax()
813
+
814
+
815
+ public function set_role_additional_options_hooks() {
816
+
817
+ $role_additional_options = URE_Role_Additional_Options::get_instance($this->lib);
818
+ $role_additional_options->set_active_items_hooks();
819
+
820
+ }
821
+ // end of set_role_additional_options_hooks()
822
 
823
 
824
  // execute on plugin deactivation
includes/misc-support-stuff.php CHANGED
@@ -41,4 +41,14 @@ if (!function_exists('ure_get_post_view_access_users')) {
41
  }
42
  // end of ure_get_post_view_users()
43
 
44
- } // if (!function_exists('ure_get_post_view_users'))
 
 
 
 
 
 
 
 
 
 
41
  }
42
  // end of ure_get_post_view_users()
43
 
44
+ }
45
+
46
+
47
+ if (!function_exists('ure_hide_admin_bar')) {
48
+ function ure_hide_admin_bar() {
49
+
50
+ show_admin_bar(false);
51
+
52
+ }
53
+ // end of hide_admin_bar()
54
+ }
includes/ure-role-edit.php CHANGED
@@ -14,7 +14,7 @@ if (!defined('URE_PLUGIN_URL')) {
14
 
15
  <div class="has-sidebar-content">
16
  <div class="postbox" style="float: left; min-width:850px;">
17
- <h3><?php esc_html_e('Select Role and change its capabilities:', 'user-role-editor'); ?> <?php echo $this->role_select_html; ?></h3>
18
  <div class="inside">
19
  <?php
20
  if ($this->caps_readable) {
@@ -92,9 +92,11 @@ if ($this->multisite && $this->active_for_network && !is_network_admin() && is_m
92
  </table>
93
  <?php
94
  } // if ($quant>0)
 
 
 
95
  ?>
96
-
97
- <input type="hidden" name="object" value="role" />
98
  <?php
99
  $this->display_box_end();
100
  ?>
14
 
15
  <div class="has-sidebar-content">
16
  <div class="postbox" style="float: left; min-width:850px;">
17
+ <h3>&nbsp;<?php esc_html_e('Select Role and change its capabilities:', 'user-role-editor'); ?> <?php echo $this->role_select_html; ?></h3>
18
  <div class="inside">
19
  <?php
20
  if ($this->caps_readable) {
92
  </table>
93
  <?php
94
  } // if ($quant>0)
95
+
96
+ $this->role_additional_options->show($this->current_role);
97
+
98
  ?>
99
+ <input type="hidden" name="object" value="role" />
 
100
  <?php
101
  $this->display_box_end();
102
  ?>
readme.txt CHANGED
@@ -3,8 +3,8 @@ Contributors: shinephp
3
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=vladimir%40shinephp%2ecom&lc=RU&item_name=ShinePHP%2ecom&item_number=User%20Role%20Editor%20WordPress%20plugin&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
4
  Tags: user, role, editor, security, access, permission, capability
5
  Requires at least: 4.0
6
- Tested up to: 4.3.1
7
- Stable tag: 4.19.3
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -77,6 +77,11 @@ https://translate.wordpress.org/projects/wp-plugins/user-role-editor/
77
 
78
  == Changelog ==
79
 
 
 
 
 
 
80
  = [4.19.3] 14.10.2015 =
81
  * Fix: minor CSS change.
82
  * Automatically add all available custom post types capabilities to the administrator role under the single site environment. Custom posts types selection query updated to include all custom post types except 'built-in' when adding custom capabilities for them
3
  Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=vladimir%40shinephp%2ecom&lc=RU&item_name=ShinePHP%2ecom&item_number=User%20Role%20Editor%20WordPress%20plugin&currency_code=USD&bn=PP%2dDonationsBF%3abtn_donateCC_LG%2egif%3aNonHosted
4
  Tags: user, role, editor, security, access, permission, capability
5
  Requires at least: 4.0
6
+ Tested up to: 4.4
7
+ Stable tag: 4.20
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
77
 
78
  == Changelog ==
79
 
80
+ = [4.20] 16.11.2015 =
81
+ * "Additional options" section was added to the user role editor page. Currently it contains the only "Hide admin bar". The list of options may be customized/extended by developers via [ure_role_additonal_options](https://www.role-editor.com/documentation/ure-role-additional-options/) filter.
82
+ * "Default Role" button is hidden to not duplicate functionality. Use "Settings - User Role Editor - Default Roles" tab instead. This button is available only for the single sites of WP multisite now.
83
+ * Code restructure, optimization: administrator protection parts extracted to the separate class.
84
+
85
  = [4.19.3] 14.10.2015 =
86
  * Fix: minor CSS change.
87
  * Automatically add all available custom post types capabilities to the administrator role under the single site environment. Custom posts types selection query updated to include all custom post types except 'built-in' when adding custom capabilities for them
uninstall.php CHANGED
@@ -19,6 +19,7 @@ if (!is_multisite()) {
19
  delete_option('ure_show_deprecated_caps');
20
  delete_option('ure_hide_pro_banner');
21
  delete_option('user_role_editor');
 
22
  } else {
23
  $old_blog = $wpdb->blogid;
24
  // Get all blog ids
@@ -31,6 +32,7 @@ if (!is_multisite()) {
31
  delete_option('ure_show_deprecated_caps');
32
  delete_option('ure_hide_pro_banner');
33
  delete_option('user_role_editor');
 
34
  }
35
  switch_to_blog($old_blog);
36
  }
19
  delete_option('ure_show_deprecated_caps');
20
  delete_option('ure_hide_pro_banner');
21
  delete_option('user_role_editor');
22
+ delete_option('ure_role_additional_options_values');
23
  } else {
24
  $old_blog = $wpdb->blogid;
25
  // Get all blog ids
32
  delete_option('ure_show_deprecated_caps');
33
  delete_option('ure_hide_pro_banner');
34
  delete_option('user_role_editor');
35
+ delete_option('ure_role_additional_options_values');
36
  }
37
  switch_to_blog($old_blog);
38
  }
user-role-editor.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: User Role Editor
4
  Plugin URI: https://www.role-editor.com
5
  Description: Change/add/delete WordPress user roles and capabilities.
6
- Version: 4.19.3
7
  Author: Vladimir Garagulya
8
  Author URI: https://www.role-editor.com
9
  Text Domain: ure
@@ -23,7 +23,7 @@ if (defined('URE_PLUGIN_URL')) {
23
  wp_die('It seems that other version of User Role Editor is active. Please deactivate it before use this version');
24
  }
25
 
26
- define('URE_VERSION', '4.19.3');
27
  define('URE_PLUGIN_URL', plugin_dir_url(__FILE__));
28
  define('URE_PLUGIN_DIR', plugin_dir_path(__FILE__));
29
  define('URE_PLUGIN_BASE_NAME', plugin_basename(__FILE__));
@@ -49,8 +49,10 @@ Ure_Lib::check_version(get_bloginfo('version'), $ure_required_wp_version, $exit_
49
 
50
  require_once(URE_PLUGIN_DIR .'includes/define-constants.php');
51
  require_once(URE_PLUGIN_DIR .'includes/misc-support-stuff.php');
 
52
  require_once(URE_PLUGIN_DIR .'includes/class-assign-role.php');
53
  require_once(URE_PLUGIN_DIR .'includes/class-user-other-roles.php');
 
54
  require_once(URE_PLUGIN_DIR .'includes/class-ajax-processor.php');
55
  require_once(URE_PLUGIN_DIR .'includes/class-ure-screen-help.php');
56
  require_once(URE_PLUGIN_DIR .'includes/class-known-js-css-compatibility-issues.php');
3
  Plugin Name: User Role Editor
4
  Plugin URI: https://www.role-editor.com
5
  Description: Change/add/delete WordPress user roles and capabilities.
6
+ Version: 4.20
7
  Author: Vladimir Garagulya
8
  Author URI: https://www.role-editor.com
9
  Text Domain: ure
23
  wp_die('It seems that other version of User Role Editor is active. Please deactivate it before use this version');
24
  }
25
 
26
+ define('URE_VERSION', '4.20.b2');
27
  define('URE_PLUGIN_URL', plugin_dir_url(__FILE__));
28
  define('URE_PLUGIN_DIR', plugin_dir_path(__FILE__));
29
  define('URE_PLUGIN_BASE_NAME', plugin_basename(__FILE__));
49
 
50
  require_once(URE_PLUGIN_DIR .'includes/define-constants.php');
51
  require_once(URE_PLUGIN_DIR .'includes/misc-support-stuff.php');
52
+ require_once(URE_PLUGIN_DIR .'includes/class-role-additional-options.php');
53
  require_once(URE_PLUGIN_DIR .'includes/class-assign-role.php');
54
  require_once(URE_PLUGIN_DIR .'includes/class-user-other-roles.php');
55
+ require_once(URE_PLUGIN_DIR .'includes/class-protect-admin.php');
56
  require_once(URE_PLUGIN_DIR .'includes/class-ajax-processor.php');
57
  require_once(URE_PLUGIN_DIR .'includes/class-ure-screen-help.php');
58
  require_once(URE_PLUGIN_DIR .'includes/class-known-js-css-compatibility-issues.php');