User Role Editor - Version 4.35.2

Version Description

Release Info

Developer	shinephp
Plugin	User Role Editor
Version	4.35.2
Comparing to
See all releases

Code changes from version 4.35.1 to 4.35.2

Files changed (4) hide show

includes/classes/protect-admin.php +27 -18
includes/classes/user-other-roles.php +11 -6
readme.txt +6 -1
user-role-editor.php +2 -2

includes/classes/protect-admin.php CHANGED Viewed

	@@ -15,13 +15,17 @@ class URE_Protect_Admin {
15	private $user_to_check = null; // cached list of user IDs, who has Administrator role
16
17	public function __construct($lib) {


18	$this->lib = $lib;
19	$this->user_to_check = array();
20
21	// Exclude administrator role from edit list.
22	add_filter('editable_roles', array($this, 'exclude_admin_role'));
23	- // ~~prohibit~~ ~~any~~ ~~actions with~~ user ~~who has Administrator role~~
24	- ~~add_filter('user_has_cap',~~ ~~array($this,~~ ~~'not_edit_admin'),~~ ~~10,~~ ~~3);~~


25	// exclude users with 'Administrator' role from users list
26	add_action('pre_user_query', array($this, 'exclude_administrators'));
27	// do not show 'Administrator (s)' view above users list
	@@ -32,13 +36,12 @@ class URE_Protect_Admin {
32
33	// apply protection to the user edit pages only
34	protected function is_protection_applicable() {


35	$result = false;
36	- $~~links_to_block~~ = array('profile.php', 'users.php', 'user-new.php');
37	- ~~foreach~~ ($~~links_to_block~~ as $~~key => $value~~) {
38	- $result = ~~stripos($_SERVER['REQUEST_URI'], $value)~~;
39	- if ($result !== false) {
40	- break;
41	- }
42	}
43
44	return $result;
	@@ -103,8 +106,8 @@ class URE_Protect_Admin {
103	* 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
104	* If put Administrator user ID into such request, user with lower capabilities (if he has 'edit_users')
105	* can edit, delete admin record
106	- * This function removes 'edit_users' capability from current user capabilities
107	- * if request ~~has~~ ~~admin~~ user ID in it
108	*
109	* @param array $allcaps
110	* @param type $caps
	@@ -112,13 +115,18 @@ class URE_Protect_Admin {
112	* @return array
113	*/
114	public function not_edit_admin($allcaps, $caps, $name) {





115
116	$user_keys = array('user_id', 'user');
117	foreach ($user_keys as $user_key) {
118	$access_deny = false;
119	$user_id = $this->lib->get_request_var($user_key, 'get');
120	- if (empty($user_id)) {
121	- ~~break~~;
122	}
123	if ($user_id == 1) { // built-in WordPress Admin
124	$access_deny = true;
	@@ -131,8 +139,9 @@ class URE_Protect_Admin {
131	$access_deny = $this->user_to_check[$user_id];
132	}
133	}
134	- if ($access_deny) {
135	- unset($allcaps[~~'edit_users'~~]);

136	}
137	break;
138	}
	@@ -150,7 +159,7 @@ class URE_Protect_Admin {
150	*/
151	public function exclude_administrators($user_query) {
152
153	- global $wpdb;
154
155	if (!$this->is_protection_applicable()) { // block the user edit stuff only
156	return;
	@@ -160,9 +169,9 @@ class URE_Protect_Admin {
160	$tableName = $this->lib->get_usermeta_table_name();
161	$meta_key = $wpdb->prefix . 'capabilities';
162	$admin_role_key = '%"administrator"%';
163	- $query = "~~select~~ user_id
164	- ~~from~~ $tableName
165	- ~~where~~ meta_key='$meta_key' ~~and~~ meta_value like '$admin_role_key'";
166	$ids_arr = $wpdb->get_col($query);
167	if (is_array($ids_arr) && count($ids_arr) > 0) {
168	$ids = implode(',', $ids_arr);


15	private $user_to_check = null; // cached list of user IDs, who has Administrator role
16
17	public function __construct($lib) {
18	+ global $pagenow;
19	+
20	$this->lib = $lib;
21	$this->user_to_check = array();
22
23	// Exclude administrator role from edit list.
24	add_filter('editable_roles', array($this, 'exclude_admin_role'));
25	+ if (in_array($pagenow, array('users.php', 'user-edit.php'))) {
26	+ // prohibit any actions with user who has Administrator role
27	+ add_filter('user_has_cap', array($this, 'not_edit_admin'), 10, 3);
28	+ }
29	// exclude users with 'Administrator' role from users list
30	add_action('pre_user_query', array($this, 'exclude_administrators'));
31	// do not show 'Administrator (s)' view above users list

36
37	// apply protection to the user edit pages only
38	protected function is_protection_applicable() {
39	+ global $pagenow;
40	+
41	$result = false;
42	+ $pages_to_block = array('profile.php', 'users.php', 'user-new.php', 'user-edit.php');
43	+ if (in_array($pagenow, $pages_to_block)) {
44	+ $result = true;



45	}
46
47	return $result;

106	* 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
107	* If put Administrator user ID into such request, user with lower capabilities (if he has 'edit_users')
108	* can edit, delete admin record
109	+ * This function removes 'edit_users' or 'delete_users' or 'remove_users' capability from current user capabilities,
110	+ * if request sent against a user with 'administrator' role
111	*
112	* @param array $allcaps
113	* @param type $caps

115	* @return array
116	*/
117	public function not_edit_admin($allcaps, $caps, $name) {
118	+ $cap = (is_array($caps) & count($caps)>0) ? $caps[0] : $caps;
119	+ $checked_caps = array('edit_users', 'delete_users', 'remove_users');
120	+ if (!in_array($cap, $checked_caps)) {
121	+ return $allcaps;
122	+ }
123
124	$user_keys = array('user_id', 'user');
125	foreach ($user_keys as $user_key) {
126	$access_deny = false;
127	$user_id = $this->lib->get_request_var($user_key, 'get');
128	+ if (empty($user_id)) { // check the next key
129	+ continue;
130	}
131	if ($user_id == 1) { // built-in WordPress Admin
132	$access_deny = true;

139	$access_deny = $this->user_to_check[$user_id];
140	}
141	}
142	+ if ($access_deny && isset($allcaps[$cap])) {
143	+ unset($allcaps[$cap]);
144	+
145	}
146	break;
147	}

159	*/
160	public function exclude_administrators($user_query) {
161
162	+ global $wpdb, $current_user;
163
164	if (!$this->is_protection_applicable()) { // block the user edit stuff only
165	return;

169	$tableName = $this->lib->get_usermeta_table_name();
170	$meta_key = $wpdb->prefix . 'capabilities';
171	$admin_role_key = '%"administrator"%';
172	+ $query = "SELECT user_id
173	+ FROM $tableName
174	+ WHERE user_id!={$current_user->ID} AND meta_key='{$meta_key}' AND meta_value like '{$admin_role_key}'";
175	$ids_arr = $wpdb->get_col($query);
176	if (is_array($ids_arr) && count($ids_arr) > 0) {
177	$ids = implode(',', $ids_arr);

includes/classes/user-other-roles.php CHANGED Viewed

	@@ -123,7 +123,7 @@ class URE_User_Other_Roles {
123	// end of get_roles_array()
124
125
126	- private function roles_select_html($user) {
127
128	global $wp_roles;
129
	@@ -133,20 +133,25 @@ class URE_User_Other_Roles {
133	if (isset($roles[$primary_role])) { // exclude role assigned to the user as a primary role
134	unset($roles[$primary_role]);
135	}
136	- ~~$other_roles = $this->get_roles_array($user);~~
137	-
138	echo '<select multiple="multiple" id="ure_select_other_roles" name="ure_select_other_roles" style="width: 500px;" >'."\n";
139	foreach($roles as $key=>$role) {
140	echo '<option value="'.$key.'" >'.$role['name'].'</option>'."\n";
141	} // foreach()
142	echo '</select><br>'."\n";
143	-






144	if (is_array($other_roles) && count($other_roles) > 0) {
145	$other_roles_str = implode(',', $other_roles);
146	} else {
147	$other_roles_str = '';
148	}
149	- echo '<input type="hidden" name="ure_other_roles" id="ure_other_roles" value="' . $other_roles_str . '" />';
150
151
152	$output = $this->lib->roles_text($other_roles);
	@@ -186,7 +191,7 @@ class URE_User_Other_Roles {
186	<th scope="row"><?php esc_html_e('Other Roles', 'user-role-editor'); ?></th>
187	<td>
188	<?php
189	- $this->roles_select_html($user);
190	?>
191	</td>
192	</tr>


123	// end of get_roles_array()
124
125
126	+ private function roles_select_html($user, $context) {
127
128	global $wp_roles;
129

133	if (isset($roles[$primary_role])) { // exclude role assigned to the user as a primary role
134	unset($roles[$primary_role]);
135	}
136	+

137	echo '<select multiple="multiple" id="ure_select_other_roles" name="ure_select_other_roles" style="width: 500px;" >'."\n";
138	foreach($roles as $key=>$role) {
139	echo '<option value="'.$key.'" >'.$role['name'].'</option>'."\n";
140	} // foreach()
141	echo '</select><br>'."\n";
142	+
143	+ if ($context=='add-new-user') {
144	+ // Get other default roles
145	+ $other_roles = $this->lib->get_option('other_default_roles', array());
146	+ } else {
147	+ $other_roles = $this->get_roles_array($user);
148	+ }
149	if (is_array($other_roles) && count($other_roles) > 0) {
150	$other_roles_str = implode(',', $other_roles);
151	} else {
152	$other_roles_str = '';
153	}
154	+ echo '<input type="hidden" name="ure_other_roles" id="ure_other_roles" value="' . $other_roles_str . '" />';
155
156
157	$output = $this->lib->roles_text($other_roles);

191	<th scope="row"><?php esc_html_e('Other Roles', 'user-role-editor'); ?></th>
192	<td>
193	<?php
194	+ $this->roles_select_html($user, $context);
195	?>
196	</td>
197	</tr>

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=vladi
4	Tags: user, role, editor, security, access, permission, capability
5	Requires at least: 4.0
6	Tested up to: 4.8
7	- Stable tag: 4.35.1
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
	@@ -78,6 +78,11 @@ https://translate.wordpress.org/projects/wp-plugins/user-role-editor/
78
79
80	== Changelog =





81	= [4.35.1] 10.07.2017 =
82	* Fix: "Grant Roles" button at the bottom of "Users" page did not work as had the same ID as a similar button at the top of this page.
83	* Update: when bbPress plugin is active, "Grant Roles" does not revoke bbPress role granted to user anymore.


4	Tags: user, role, editor, security, access, permission, capability
5	Requires at least: 4.0
6	Tested up to: 4.8
7	+ Stable tag: 4.35.2
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10

78
79
80	== Changelog =
81	+
82	+ = [4.35.2] 18.07.2017 =
83	+ * Fix: Multiple default roles (if defined at URE's settings) are selected automatically at 'add-new-user' page.
84	+ * Update: Code enhancement for protection of users with 'administrator' role from each other. Current user can see his own record and edit own profile.
85	+
86	= [4.35.1] 10.07.2017 =
87	* Fix: "Grant Roles" button at the bottom of "Users" page did not work as had the same ID as a similar button at the top of this page.
88	* Update: when bbPress plugin is active, "Grant Roles" does not revoke bbPress role granted to user anymore.

user-role-editor.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	Plugin Name: User Role Editor
4	Plugin URI: https://www.role-editor.com
5	Description: Change/add/delete WordPress user roles and capabilities.
6	- Version: 4.35.1
7	Author: Vladimir Garagulya
8	Author URI: https://www.role-editor.com
9	Text Domain: ure
	@@ -23,7 +23,7 @@ if (defined('URE_PLUGIN_URL')) {
23	wp_die('It seems that other version of User Role Editor is active. Please deactivate it before use this version');
24	}
25
26	- define('URE_VERSION', '4.35.1');
27	define('URE_PLUGIN_URL', plugin_dir_url(__FILE__));
28	define('URE_PLUGIN_DIR', plugin_dir_path(__FILE__));
29	define('URE_PLUGIN_BASE_NAME', plugin_basename(__FILE__));


3	Plugin Name: User Role Editor
4	Plugin URI: https://www.role-editor.com
5	Description: Change/add/delete WordPress user roles and capabilities.
6	+ Version: 4.35.2
7	Author: Vladimir Garagulya
8	Author URI: https://www.role-editor.com
9	Text Domain: ure

23	wp_die('It seems that other version of User Role Editor is active. Please deactivate it before use this version');
24	}
25
26	+ define('URE_VERSION', '4.35.2');
27	define('URE_PLUGIN_URL', plugin_dir_url(__FILE__));
28	define('URE_PLUGIN_DIR', plugin_dir_path(__FILE__));
29	define('URE_PLUGIN_BASE_NAME', plugin_basename(__FILE__));