Cloudflare-WordPress icon indicating copy to clipboard operation
Cloudflare-WordPress copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Empty settings page for users with custom role having the `manage_options` capability

Open rvdsteege opened this issue 10 months ago • 0 comments

Confirmation

  • [X] My issue isn't already found on the issue tracker.
  • [X] I have replicated my issue using the latest version of the plugin and it is still present.

WordPress version

6.4.3

Cloudflare-WordPress version

4.12.6

PHP version

7.4.33

Expected result

A user with a custom role which has the manage_options capability, being able to purge the cache through the Settings → Cloudflare page.

Actual result

When clicking the "Cloudflare" admin menu item, an empty page is displayed and CONFIG_FETCH_ERROR and ZONES_FETCH_ERRORS errors occur in the console.

Steps to reproduce

  1. Create a user with custom role, having the manage_options capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)
  2. Visit Settings → Cloudflare

Additional factoids

It appears that the changes from https://github.com/cloudflare/Cloudflare-WordPress/pull/529 are causing the issues (released in version 4.12.3). The "Cloudflare" admin menu item requires the manage_options capability and the WordPress AJAX action cloudflare_proxy — which seems needed to load the settings page — is checking for the administrator role.

https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/Hooks.php#L82-L87

https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/Proxy.php#L56-L60

It might be better to check against the manage_options capability in the proxy too, so both will be checking the same requirement to access the settings page.

Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using current_user_can() is discouraged:

While checking against particular roles in place of a capability is supported in part, this practice is discouraged as it may produce unreliable results.

https://github.com/cloudflare/Cloudflare-WordPress/blob/dd13e1509194ee0a15c4f737082d39cdc226ad71/src/WordPress/WordPressAPI.php#L159-L165

https://github.com/cloudflare/Cloudflare-WordPress/blob/58db13b91fbd5e8613a8599d58cf05d04914d7e6/src/WordPress/WordPressWrapper.php#L39-L42

References

https://github.com/cloudflare/Cloudflare-WordPress/pull/529

rvdsteege avatar Apr 03 '24 12:04 rvdsteege