- This topic has 7 replies, 2 voices, and was last updated 6 years, 6 months ago by
.
-
Posts
-
We are experiencing an undesirable behavior issue with Community Events and the default Subscriber role. Generally speaking, subscribers have no access to anything in the WordPress admin area except for the dashboard and their profile. Using Community Events, there are settings where you can allow users to edit and delete their own events. This is great when dealing with the front end interface, however these settings enable the admin area to now have access to see all events (though they can only edit their own), and add new ones through the admin area… a different and slightly more confusing environment for the end user.
On top of this behavior… when checking the settings to NOT allow a user to add new venues and organizations, having the ability to edit their own events now bypasses this security feature if the user creates their event using the admin area interface instead of the front end interface. I am aware that I can “block” any role from accessing the admin area altogether… and even redirect them to a different URL if they attempt it. But in our case, we would like the subscriber to have access to the WP Admin area for profile purposes, and other potential purposes down the road.
Typically this would not be an issue with roles that are already permitted to do such tasks… but for a subscriber I am unsure why this ability has occurred. Was this action done by default? Or is there anything else we can do to remedy this? The desired outcome would be for the Subscriber role to NOT be able to have access to any part of the Events Calendar in the WP Admin area, and only be able to access any features through the use of the community pages (add/list). Any advice would be welcome.
Hi Michael,
Thanks so much for reaching out!
I’m sorry to hear that you are having issue with the Subscriber roles on your site. At this point, I’m not quite sure if what you are experiencing on your site is the result of a bug, or the way that you have your settings configured, or a conflict between plugins or a theme that may be causing the behavior on your site to behave improperly.
Out of the box, subscribers should not have access to the WordPress Dashboard, but it sounds like that is something you wold like them to have, is this correct? If they have access to the Dashboard for one purpose, it is difficult to not allow them access to all part of the Dashboard, so you may want to limit their abilities to the front end of the site, so it does not get confusing.
You may want to test for conflicts and see if the issue still persists. There may be another plugin or your theme interacting with ours that is causing the issue. You can follow the steps outlined in this article to do that: https://theeventscalendar.com/knowledgebase/testing-for-conflicts/
Additionally, this article about admin roles and permissions may be of interest to you: https://theeventscalendar.com/knowledgebase/admin-roles-and-permissions/
If you still have the issue, perhaps you could share some more detailed information about what settings you have enabled, so that I can try to replicate the issue on my end.
Let me know how it goes and if you have any other questions on this topic along the way!
Thanks,
Jaime
Hi Jamie,
Actually, out of the box, subscribers DO have access to the WP Admin area. They are limited to the “Dashboard” and their own “Profile”. This allows subscribers to be able to modify their profile (update name, contact info, and reset password) without having to bother the site admin. In our case, we would simply like to keep this default, out of the box experience.
I have, for clarification purposes, spun up a default instance of WordPress and have only installed The Events Calendar, The Events Calendar Pro, and Community Events plugins. No other plugin exists on the site (except for WP Engine default and required MU ones). I am also using the default Twenty Seventeen theme. I can guarantee there are no conflicts happening.
If you would like to replicate the issue, simply create a user with subscriber permissions. If you log in as that user, you will have access to the dashboard and your profile only. Now, as the administrator, change the settings under Events->Settings->Community. Check the boxes “Users cannot create new Venues”, “Users cannot create new Organizers”, “Edit their Submission”, and “Remove their submisions”. With those settings set, log back in as the subscriber and you will see the Events menu with “Events”, “Add New”, “Venues”, and “Organizers”.
Using this new menu, the subscriber can still only edit/delete their own submissions, and create new events… which is perfect! They do, however, see ALL submissions in the “events” table. Though they cannot modify those submissions in any way, they can still see them which might cause confusion. That is still not a big deal, however. The real problem is: in the steps above we have asked that no user be able to create new venues or organizers by checking those two boxes. However, these options now show in the admin menu… and a user CAN INDEED create a new venue and/or organizer from this back end (albeit they can only “submit for review”). The same action cannot be completed using the external page /events/community/add. But this still sort of defeats the purpose of those two checkboxes.
I guess I’m curious as to why the “Events” menu would show in the admin area to begin with for a level as low as a subscriber. I understand that it follows the same roles and permissions as any other post. I also understand that is has it’s own set of rules specific to the plugin, and we can manipulate those rules via a role manager type of plugin. And I suppose that if we are granting the user the ability to edit and delete their own posts, this is probably what is triggering the behavior in the admin area. But at the very least, I still feel if we have not allowed them to create venues and organizers, those menu items should still not appear at all?
Hi Michael,
Thank you for your detailed explanations. Unfortunately, I am not able to replicate the issue. It is our policy not to log in to customers’ sites, so I have attempted to recreate the situation you are describing on my own test site, but cannot see what you are describing. Would you mind taking some screenshots of what subscribers can see?
One way to disable the Events Menu would be to add a third-party plugin and add a bit of code to your functions.php file. You can read through the steps here: https://theeventscalendar.com/knowledgebase/disable-the-events-menu-on-the-dashboard/
Also, another plugin that may assist you with your needs is User Role Editor, which can help you to customize the subscriber role as desired: https://wordpress.org/plugins/user-role-editor/
Please let me know how it goes and if you have any other questions on this topic along the way!
Thanks,
Jaime
Let’s be clear that users logging in with a Subscriber role can see the dashboard. This is default WP behavior. I’m demonstrating this with a screenshot from stock, local WP installation with no active plugins.
Since this behavior is the foundation of the issue, it’s important that you folks acknowledge this fact as true.
Hi Michael,
Yes, sorry for the confusion! Subscribers can see the dashboard and view their profile. Did you need any additional assistance on how to achieve the results you were looking for?
Thanks,
Jaime
Hey there! This thread has been pretty quiet for the last three weeks, so we’re going to go ahead and close it to avoid confusion with other topics. If you’re still looking for help with this, please do open a new thread, reference this one and we’d be more than happy to continue the conversation over there.
Thanks so much!
The Events Calendar Support Team
- The topic ‘Permission Issue with Subscriber’ is closed to new replies.