wordpress-seo icon indicating copy to clipboard operation
wordpress-seo copied to clipboard

Published 20 hours ago verified publisher icon Yoast

Elementor prompts non admin users to input HTTPAuth if page is behind HTTPAuth on post save

Open Setyl opened this issue 3 years ago • 3 comments

  • [x] I've read and understood the contribution guidelines.
  • [x] I've searched for any related issues and avoided creating a duplicate issue.

Please give us a description of what happened.

If i'd save a post in Elementor with having the editor role, i get an HTTPAuth prompt because admin-ajax.php tries to send a 401 unauthorized, if the whole site is behind an HTTPAuth.

Please describe what you expected to happen and why.

I'd love to have no prompt at all.

The problem is in the file /wordpress-seo/src/integrations/third-party/elementor.php, line 241-243: if ( ! \current_user_can( 'manage_options' ) ) { \wp_send_json_error( 'Unauthorized', 401 ); } I'd suggest to use a Yoast capability instead, like 'wpseo_manage_options' as editors dont have 'manage_options'.

How can we reproduce this behavior?

  1. Secure your site with HTTPAuth via .htaccess or similar
  2. Login with editor role
  3. Save a post in the Elementor editor

Technical info

  • If relevant, which editor is affected (or editors):
  • [x ] Elementor
  • Which browser is affected (or browsers):
  • [x] Chrome
  • [x] Firefox
  • [ ] Safari
  • [ ] Other

Used versions

  • WordPress version: 6.0
  • Yoast SEO version: 19.1
  • Elementor version: 3.6.6
  • Tested with theme: Twenty Twenty-Two 1.2

Setyl avatar Jun 20 '22 14:06 Setyl

Thanks for bringing this to our attention. I investigated this and was able to reproduce it on our end. However, when I used the wpseo_manage_options as your recommendation in the following, it didn't fix the issue.

https://github.com/Yoast/wordpress-seo/blob/6742cd4a221098bf52e7929bf8c27f14cc3f4396/src/integrations/third-party/elementor.php#L241

So, there's probably something else going on that needs a deeper look. So, I marked it as a bug to ensure it gets attention to our development team.

mmikhan avatar Jun 21 '22 23:06 mmikhan

Thanks for reaching back. It's right, it won't fix the issue but one can change the editor capability in functions.php, to allow wpseo_manage_options then. Another option is to not send a 401 error. But i think to use the manage_options capability isn't best practice in any means.

Setyl avatar Jun 22 '22 10:06 Setyl

Prioritized the issue internally: IM-1932

mmikhan avatar Aug 09 '22 17:08 mmikhan