activity-log icon indicating copy to clipboard operation
activity-log copied to clipboard

Published 20 hours ago verified publisher icon pojome

Feature Request: Improved roles support

Open DaWoblefet opened this issue 3 years ago • 2 comments

Love the tool! I have a couple feature requests. First, it would be nice to be able to toggle permissions for the plugin in the tool's settings, as a convenience feature instead of hooking into the aal_init_roles filter. Just a QoL thing.

Second, when using the aal_init_roles filter, it doesn't actually hide the plugin from the user in the menubar. It does restrict their access, but it'd be nice to properly remove the plugin when they don't have the correct role. So instead of:

image

it's more like this, where it's not displayed at all:

image

This is the associated code snippet I'm using to model the behavior above. Of course, this would need to be adjusted to handle what roles are actually allowed.

function hide_activity_log_from_editors() {
    global $user_ID;
    if (!current_user_can('administrator')) {
        remove_menu_page('activity_log_page');
    }
}

DaWoblefet avatar Nov 29 '21 15:11 DaWoblefet

Hi @DaWoblefet,

Regarding your first request, for now, we will not add it to the settings page.

About the menu item, you should use our custom user capability view_all_aryo_activity_log. The aal_init_roles filter is designed for which items a user may watch and which they may not.

KingYes avatar Feb 16 '22 16:02 KingYes

@KingYes,

I checked and our "editor" role does not have that capability. I ran a var_dump of get_role('editor') and view_all_aryo_activity_log was not in the capabilities array. However, users with the editor role can still see Activity Log in the sidebar. If I assign the "editor" role that view_all_aryo_activity_log capability, then it just looks like it bypasses the aal_init_roles filter. So it doesn't remove it from the sidebar.

Just from a quick look through the codebase, it appears that if the view_all_aryo_activity_log capability is not set, it uses the edit_pages capability as a fallback, which is not what I want to happen since I only want administrators to be able to view the Activity Log on my site. But this fallback permits Editors to view the site. See line 14 of classes\class-aal-admin-ui.php:

$menu_capability = current_user_can( 'view_all_aryo_activity_log' ) ? 'view_all_aryo_activity_log' : 'edit_pages';

DaWoblefet avatar Feb 16 '22 21:02 DaWoblefet