[Patryk Wezowski]

I have a problem with Connections directory Role Capabilities.
No matter how I set “Add Entry Moderated” and “Add Entry”
ANY logged in user (no matter what role he is) is always able to add moderated entry. I have membership website with custom roles. “Edit Entry Moderated” and “Edit Entry” capability seems to work fine either blocking user from editing his entry or allowing it but everyone can add new Entry.

My setup:
Connections->Roles
Role:s2member level 4
“Add Entry” and “Add Entry Moderated” remain UNCHECKED.
Connections->Settings-> When this option is enabled a “View My Directory Entry” or “Add My Directory Entry” link will be displayed. CHECKED

Test user with Role:s2member level 4 logs in and he sees above directory page:
Add My Directory Entry
So user without capabilities to add Directory Entry can do it anyway.
If I uncheck option in Connections->Settings-> When this option is enabled a “View My Directory Entry” or “Add My Directory Entry” link will be displayed.
user wont see a link but he sill will be able to simply go to page:
http://mydomain.com/connections-directory/submit manually and post his entry despite theoreticaly having no capabilities to do so.

Installed plugins:
cMap
CSV import
link
contact
form

How can i fix it?

[Steven Zahm]

@ Patryk Wezowski

s2member… the first thing to do is this. Just incase s2member wiped the custom role capabilities.

After you do the above, go to the Connections : Roles admin page and check the Reset All Role Capabilities option and click Update.

Now, for the s2member level 4 role, add the following capabilities:

• Depending on if you have the require login option set or not you might have add the View Public Entries capability. If the option is there, add the capability.
• Optionally, add the View Private Entries capability if you want the role to have it.
• All other capabilities should remain unchecked.

After you have those capabilities set, click Update.

That should prevent the Add My Directory Entry from being presented to that role. There is a bug, that if a user can guess the submit URL, they will still be able to submit an entry. This will be corrected in a future update.

Hope that helps, let me know.

[Patryk Wezowski]

Actually there is a bug in connections_link.php around line 509. Link “Add My Directory Entry” will be displayed to everyone no matter what cause there is missing:
if (current_user_can( ‘connections_add_entry_moderated’ ) || current_user_can( ‘connections_add_entry’ ))
Here is a code with added missing piece:

          if (current_user_can( 'connections_add_entry_moderated' ) || current_user_can( 'connections_add_entry' ))
          {
            if ( class_exists( 'Connections_Form' ) ) {

                cnURL::permalink( array( 'type' => 'submit', 'text' => __( 'Add My Directory Entry', 'connections_link' ), 'return' => FALSE ) );

            } else {

                printf( '%2$s',
                    admin_url( 'users.php?page=connections_link' ),
                    __( 'Add My Directory Entry', 'connections_link' )
                    );

            }
          }

For me thats what fixed link showing to people with roles that had no capability.

• This reply was modified 7 years, 7 months ago by Patryk Wezowski.

[Steven Zahm]

@ Patryk

Ahhh… I see, that is actually something I did find and fix. I hadn’t pushed it out as an update yet. It also has another fix for plugins that break the wp_login action… or more accurately call it without passing the $user object too. That causes the actual link on login to fail.

[Author]

Posts