WordPress-iOS icon indicating copy to clipboard operation
WordPress-iOS copied to clipboard
verified publisher icon wordpress-mobile

Page button always shown despite user's lack of required capability/role

Open guarani opened this issue 5 years ago • 3 comments

Expected behavior

The app should not allow site users with the author or contributor roles to manage (add/edit) pages. Only users with the editor, administrator, or "Super Admin" roles should be allowed to do this.

Roles and capabilities reference: https://wordpress.org/support/article/roles-and-capabilities/

Actual behavior

Tested on a self-hosted site

The app allows users with the author or contributor role to navigate to the Site Pages screen, open the editor to create a new Page, etc, even though none of these operations can be finalized (the server correctly rejects the request to list site Pages for example).

Attempting to publish a Page despite lack of required role Attempting to view Page list despite lack of required role
Screenshot showing error message when user without required role attempts to publish a Page Screenshot showing error message when user without required role attempts to view Page list screen

Steps to reproduce the behavior

  1. Log into a site with a user whose role on that site is either author or contributor
  2. On the site screen, notice that the Pages button is shown (it should be hidden)
  3. Again on the site screen, notice that the Floating Action Button (+), when tapped, shows an option to create a Page (which shouldn't be there)
  4. The user can follow a dead-end path by tap the Pages button, which leads to the app attempting to load the screen ("Fetching pages..." message) before getting stuck or showing an error message
  5. Another dead end occurs if the user creates a page via the FAB button and attempts to publish, which again results in an error
Tested on iPhone 11, iOS 14, WPiOS 15.8

guarani avatar Oct 14 '20 23:10 guarani

Related: https://github.com/wordpress-mobile/WordPress-Android/issues/13139

guarani avatar Oct 15 '20 00:10 guarani

If this is implemented, we should consider adopting pull-to-refresh on the site screen to allow the user to "refresh" their role so that if their role is changed remotely, it can be used withing the app (similar to https://github.com/wordpress-mobile/WordPress-Android/issues/13140).

guarani avatar Oct 15 '20 00:10 guarani

This issue has been marked as stale because:

  • It has been inactive for the past year.
  • It isn't in a project or a milestone.
  • It hasn’t been labeled [Pri] Blocker, [Pri] High, or good first issue.

Please comment with an update if you believe this issue is still valid or if it can be closed. This issue will also be reviewed for validity and priority during regularly scheduled triage sessions.

stale[bot] avatar May 01 '22 00:05 stale[bot]