Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom post type to store logs uses default capability type #74

Closed
benoitchantre opened this issue Dec 20, 2021 · 3 comments · Fixed by #75 or #76
Closed

Custom post type to store logs uses default capability type #74

benoitchantre opened this issue Dec 20, 2021 · 3 comments · Fixed by #75 or #76
Assignees
@soup-bowl
Labels
bug Something isn't working

Comments

@benoitchantre
Copy link
Contributor

benoitchantre commented Dec 20, 2021
edited
Loading

What WordPress, PHP and Simple SMTP versions are you using?
Simple SMTP 1.2.3

Describe the bug
The custom post type to store logs uses default capability type with no additional capabilities.

Expected behavior
The capability required to view/delete logs should be related to an admin role, for example manage_options.
@benoitchantre benoitchantre added the bug Something isn't working label Dec 20, 2021
@soup-bowl soup-bowl linked a pull request Dec 21, 2021 that will close this issue
Use a capability name with current_user_can() #75
Merged
@soup-bowl
Copy link
Owner

Good catch on the lazy implementation there. Ironically comes at a time where in a private repo I'm a member of, someone has complained about developers using misguided cap types impacting custom role assignments.

@benoitchantre
Copy link
Contributor Author

#75 is not directly related to this issue.

When the sbss_email_log post type is registered, the default capabilities (post) are used instead of a capability specific to an adminstrator role.

wp-simple-smtp/src/log/class-logservice.php

Lines 38 to 40 in f657d94

public function register_log_storage() {
register_post_type( $this->post_type );
}

There shoud be an additional capabilities argument passed to this function to be safer.

For example:

'capabilities'        => array(
	'publish_posts'       => 'manage_options',
	'edit_others_posts'   => 'manage_options',
	'delete_posts'        => 'manage_options',
	'delete_others_posts' => 'manage_options',
	'read_private_posts'  => 'manage_options',
	'edit_post'           => 'manage_options',
	'delete_post'         => 'manage_options',
	'read_post'           => 'manage_options',
),

@soup-bowl
Copy link
Owner

Okay, thanks for clarifying.

@soup-bowl soup-bowl reopened this Dec 21, 2021
@soup-bowl soup-bowl self-assigned this Jan 9, 2022
soup-bowl added a commit that referenced this issue Jan 9, 2022
@soup-bowl
Suggested perm change from #74.
9225dc9
@soup-bowl soup-bowl mentioned this issue Jan 9, 2022
Merged
5 tasks
@soup-bowl soup-bowl linked a pull request Jan 9, 2022 that will close this issue
Change Log Viewer Capabilities #76
Merged
5 tasks
@soup-bowl soup-bowl mentioned this issue Jan 18, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@soup-bowl soup-bowl

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
2 participants
@benoitchantre @soup-bowl