Empty settings page for users with custom role having the manage_options
capability
#544
Open
2 tasks done
manage_options
capability
#544
Confirmation
WordPress version
6.4.3
Cloudflare-WordPress version
4.12.6
PHP version
7.4.33
Expected result
A user with a custom role which has the
manage_options
capability, being able to purge the cache through the Settings → Cloudflare page.Actual result
When clicking the "Cloudflare" admin menu item, an empty page is displayed and
CONFIG_FETCH_ERROR
andZONES_FETCH_ERRORS
errors occur in the console.Steps to reproduce
manage_options
capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)Additional factoids
It appears that the changes from #529 are causing the issues (released in version
4.12.3
). The "Cloudflare" admin menu item requires themanage_options
capability and the WordPress AJAX actioncloudflare_proxy
— which seems needed to load the settings page — is checking for theadministrator
role.Cloudflare-WordPress/src/WordPress/Hooks.php
Lines 82 to 87 in dd13e15
Cloudflare-WordPress/src/WordPress/Proxy.php
Lines 56 to 60 in dd13e15
It might be better to check against the
manage_options
capability in the proxy too, so both will be checking the same requirement to access the settings page.Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using
current_user_can()
is discouraged:Cloudflare-WordPress/src/WordPress/WordPressAPI.php
Lines 159 to 165 in dd13e15
Cloudflare-WordPress/src/WordPress/WordPressWrapper.php
Lines 39 to 42 in 58db13b
References
#529
The text was updated successfully, but these errors were encountered: