Cloudflare-WordPress icon indicating copy to clipboard operation
Cloudflare-WordPress copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Empty settings page for users with custom role having the `manage_options` capability

Open rvdsteege opened this issue 1 year ago • 5 comments

Confirmation

  • [X] My issue isn't already found on the issue tracker.
  • [X] I have replicated my issue using the latest version of the plugin and it is still present.

WordPress version

6.4.3

Cloudflare-WordPress version

4.12.6

PHP version

7.4.33

Expected result

A user with a custom role which has the manage_options capability, being able to purge the cache through the Settings → Cloudflare page.

Actual result

When clicking the "Cloudflare" admin menu item, an empty page is displayed and CONFIG_FETCH_ERROR and ZONES_FETCH_ERRORS errors occur in the console.

Steps to reproduce

  1. Create a user with custom role, having the manage_options capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)
  2. Visit Settings → Cloudflare

Additional factoids

It appears that the changes from https://github.com/cloudflare/Cloudflare-WordPress/pull/529 are causing the issues (released in version 4.12.3). The "Cloudflare" admin menu item requires the manage_options capability and the WordPress AJAX action cloudflare_proxy — which seems needed to load the settings page — is checking for the administrator role.

https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/Hooks.php#L82-L87

https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/Proxy.php#L56-L60

It might be better to check against the manage_options capability in the proxy too, so both will be checking the same requirement to access the settings page.

Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using current_user_can() is discouraged:

While checking against particular roles in place of a capability is supported in part, this practice is discouraged as it may produce unreliable results.

https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/WordPressAPI.php#L159-L165

https://github.com/cloudflare/Cloudflare-WordPress/blob/58db13b91fbd5e8613a8599d58cf05d04914d7e6/src/WordPress/WordPressWrapper.php#L39-L42

References

https://github.com/cloudflare/Cloudflare-WordPress/pull/529

rvdsteege avatar Apr 03 '24 12:04 rvdsteege

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Oct 01 '24 02:10 github-actions[bot]

Is there someone from the @Cloudflare team who can review the PR and merge it if possible?

remcotolsma avatar Oct 01 '24 06:10 remcotolsma

As I have not heard anything since opening this issue in April, I reported it through Cloudflare support. The case ID is 01317769.

rvdsteege avatar Dec 18 '24 11:12 rvdsteege

I've received reply (March 24, 2025 at 2:53 AM) in the support case that this plugin is not maintained anymore:

We are not maintaining the APO plugin at the moment, so you will not see an updated version soon.

Unfortunately, this issue will persist then.

rvdsteege avatar Mar 26 '25 15:03 rvdsteege

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

jordantrizz avatar Mar 27 '25 01:03 jordantrizz

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

Biased of course, but one of the primary reasons for this is because it's seemed the official plugin has been deprecated for years (before they officially confirmed that's the case).

https://wordpress.org/plugins/app-for-cf/

Enabling "Guest page caching" does what APO does.

shawn-digitalpoint avatar Jun 16 '25 16:06 shawn-digitalpoint

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

Biased of course, but one of the primary reasons for this is because it's seemed the official plugin has been deprecated for years (before they officially confirmed that's the case).

https://wordpress.org/plugins/app-for-cf/

Enabling "Guest page caching" does what APO does.

Would it be possible to confirm if that plugin with Guest page caching, indeed provides exactly the same features APO provides?

jmzolezzi avatar Aug 17 '25 01:08 jmzolezzi

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

Biased of course, but one of the primary reasons for this is because it's seemed the official plugin has been deprecated for years (before they officially confirmed that's the case). https://wordpress.org/plugins/app-for-cf/ Enabling "Guest page caching" does what APO does.

Would it be possible to confirm if that plugin with Guest page caching, indeed provides exactly the same features APO provides?

While very similar, it's not exactly the same from a technical standpoint (fundamentally, it's the same thing as far as being able to serve HTML pages from Cloudflare's edge).

The differences:

APO pros:

  • New content is proactively pushed to cache before a user requests the page (App for Cloudflare sends it to cache the first time a user requests the new content).

App for Cloudflare pros:

  • Free (does not require a paid Cloudflare plan or $5/month).
  • Ability to leverage preloading/Early Hints to push a page's JavaScript and CSS to the client faster.
  • Actively developed (been a few years since the APO plugin has had anything substantial done to it). Changelog for App for Cloudflare is here.
  • It has a not insignificant number of features that the APO plugin hasn't scratched the surface on (for example the ability to do image transforms on WordPress Media to convert them to WebP/AVIF as needed).

Generally speaking, App for Cloudflare's Guest Page Caching will yield the same TTFB (doing the same thing... caching HTML at the edge), but a faster user experience if you also use the preloading option, image transformations or other various things it can do.

shawn-digitalpoint avatar Aug 17 '25 01:08 shawn-digitalpoint

There's good news!

We’re currently in the process of updating the official Cloudflare APO plugin, and part of that effort includes reviewing and improving compatibility with other plugins. While we can’t promise fixes for every specific conflict just yet, your report is really helpful and will be factored into that work.

remkus avatar Sep 12 '25 09:09 remkus

There's good news!

We’re currently in the process of updating the official Cloudflare APO plugin, and part of that effort includes reviewing and improving compatibility with other plugins. While we can’t promise fixes for every specific conflict just yet, your report is really helpful and will be factored into that work.

Anything official from Cloudflare about this commitment?

jordantrizz avatar Sep 18 '25 02:09 jordantrizz

My comment, for now, is as official as it gets.

remkus avatar Sep 18 '25 07:09 remkus