Home › Forums › Calendar Products › Community Events › Restricting roles isn't being restricted
- This topic has 11 replies, 3 voices, and was last updated 8 years, 1 month ago by Support Droid.
-
AuthorPosts
-
March 1, 2016 at 12:39 pm #1084022Mad DogParticipant
This is odd, but it seems I just found out that Subscribers can Add events even though the only two capabilities checked in the Members plugin Role Editor for Subscribers is “Read” and “Read Tribe Event.” It’s as if the full events capabilities are open to any member class!
Any idea what’s happening here?
– We do NOT allow anonymous submissions.
– We DO have checked that logged in users can edit and remove their submissions but I assumed this only affected a class of users that was allowed access. Does this affect ANY logged in user??
Thanks,
Mad DogMarch 2, 2016 at 4:15 pm #1084617GeorgeParticipantHey @Mad Dog,
Sorry for the trouble and lack of clarity on this!
By default, the subscriber level CAN only “read” events.
However, when you set the “Allow users to edit their submissions” option in Community Events to true, this adds two additional capabilities to the user regardless of their admin role:
• edit_tribe_events
• edit_tribe_venuesAs their name implies, these capabilities allow the user to edit their events and venues.
This does NOT get applied to all users of the subscriber level. This only happens on a per-user basis for users who submit events.
I hope this information helps!
GeorgeMarch 2, 2016 at 4:47 pm #1084641Mad DogParticipantOh……that all makes sense and I was going to say that Subscribers should never be able to add events, but I think I know what’s happening….
I have an odd set-up on this site because it shares legacy Perl scripts (don’t ask!) and have a “general user” that’s a Subscriber that I’m actually using to restrict people from some legacy members pages. (I told you not to ask!) I realize that somewhere along the way an event was added using that username so now anyone using that default member can edit.
If I delete all events for that subscriber, will that stop them from being able to add new events? Or once that door’s open does it stay open?
Hope I’m making sense…
MD
March 2, 2016 at 5:47 pm #1084653Mad DogParticipantThinking about this a few minutes, is the actual answer to UNCHECK that, then use Members Role Editor to only allow (in our case) Admin and Teacher roles event creating and editing rights, and then Subscribers will only be able to read them?
March 3, 2016 at 10:32 am #1084928GeorgeParticipantHey Mad Dog,
Deleting events from a subscriber with edit access will not reset their permissions.
But unchecking the “Allow users to edit their submissions” option should do that.
As far as Members Role Editor and such, this indeed may be a great solution as long the Community Events settings are set with “Allow users to edit their submissions” un-checked.
You may have to tinker around a bit with that Members Role Editor plugin and such, Mad Dog. We unfortunately cannot help here, because our plugins simply extend the existing WordPress roles and such so to customize them is something you’ll have to take the reins on. But yes the solution you suggest does seem like it could work quite well for your needs.
I wish you the best of luck with your customizing!
George
March 3, 2016 at 10:54 am #1084944Mad DogParticipantSounds good and using Role Editor is no problem. By any chance do you have the event user capabilites anywhere? Role Editor lists them alphabetically and there can be a lot of them with different plugins so a concise list for me to make sure I’ve got all the needed ones would be handy.
THANKS
March 3, 2016 at 3:25 pm #1085070GeorgeParticipantHey @Mad Dog,
Yes, we’ve got a list of all of the capabilities here → https://theeventscalendar.com/knowledgebase/admin-roles-and-permissions/
🙂
George
March 3, 2016 at 3:58 pm #1085079Mad DogParticipantPerfect!
Thanks
March 3, 2016 at 4:00 pm #1085081GeorgeParticipant🙂
March 4, 2016 at 5:09 pm #1085411Mad DogParticipantJust so you know, and maybe it will help someone else at some point, I went with a different way of accomplishing this. Instead of getting into the Roles, because I realized I needed some error message, I changed event-list.php by wrapping the page in a conditional so only admins and teachers (the two roles who can post events/courses) can get to the page. Anyone else gets an “error” message.
// Conditional so only Teachers and Admins see the list if( current_user_can('teacher') || current_user_can('administrator') ) { // End role exclusion
Then the existing page code. Ending with:
<?php // Rest of CONDITIONAL SO ONLY Teachers and Admins have access } else { ?> <div class="no_subscriber"> You must be an authorized Instructor or School<br /> to add courses<br /><br /> <a href='http://ourdomain.com/events/'>Click here to go back to the Course Listing</a> </div> <?php } //END CONDITIONAL ?>
Maybe not the nicest code (I could have used echo) but it works!
MD
March 7, 2016 at 2:30 pm #1086010GeorgeParticipantThanks for sharing this solution! 🙂
Best of luck with your project,
GeorgeMarch 22, 2016 at 9:35 am #1092418Support DroidKeymasterThis topic has not been active for quite some time and will now be closed.
If you still need assistance please simply open a new topic (linking to this one if necessary)
and one of the team will be only too happy to help. -
AuthorPosts
- The topic ‘Restricting roles isn't being restricted’ is closed to new replies.