hm-redirects icon indicating copy to clipboard operation
hm-redirects copied to clipboard
verified publisher icon humanmade

Change default permissions type from post

Open roborourke opened this issue 7 years ago • 4 comments

Right now even contributors can see and create redirects. This might not be ideal so we should at least restrict it to those with publishing caps or even just to admins.

If we make it easy to change who has access via a filter or just documenting using the roles API then I think restricting to admins is the right call.

roborourke avatar Mar 08 '18 11:03 roborourke

Hi @roborourke

I think the easiest way to achieve this is by checking logged-in user's role before https://github.com/humanmade/hm-redirects/blob/master/includes/post-type.php#L19, like:

$current_user = wp_get_current_user();

if ( empty( $current_user ) || ! in_array( 'administrator', $current_user->roles, true ) ) {
	return;
}

And we can also add one filter to allow multiple roles who can access Redirects.

Let me know if this is fine, happy to open up a PR.

sanketio avatar Jun 03 '19 13:06 sanketio

@sanketio that's not a good approach unfortunately - you should never conditionally register post types. For legitimate unauthenticated requests to redirect URLs WP would throw an error when it tries to query a non existent post type.

The correct approach is just to set 'capability_type' => 'hm_redirect' and 'map_meta_cap' => true. May also need a map_meta_cap filter to ensure single site admins can edit them on multisite installs too.

roborourke avatar Jun 03 '19 14:06 roborourke

Yes, @roborourke, that is correct, if you want to introduce capability things, Safe Redirect Manager is a good example, the same way you can introduce restrictions.

I can open up a PR the same way.

sanketio avatar Jun 03 '19 15:06 sanketio

Always happy to get pull requests if you have the time to do so 👍

roborourke avatar Jun 03 '19 16:06 roborourke