Restricting roles isn't being restricted

  • Post date

Home Forums Calendar Products Community Events Restricting roles isn't being restricted

Viewing 12 posts - 1 through 12 (of 12 total)
  • Author
    Posts
  • March 1, 2016 at 12:39 pm #1084022
    Mad Dog
    Participant

    This is odd, but it seems I just found out that Subscribers can Add events even though the only two capabilities checked in the Members plugin Role Editor for Subscribers is “Read” and “Read Tribe Event.” It’s as if the full events capabilities are open to any member class!

    Any idea what’s happening here?

    – We do NOT allow anonymous submissions.

    – We DO have checked that logged in users can edit and remove their submissions but I assumed this only affected a class of users that was allowed access. Does this affect ANY logged in user??

    Thanks,
    Mad Dog

    March 2, 2016 at 4:15 pm #1084617
    George
    Participant

    Hey @Mad Dog,

    Sorry for the trouble and lack of clarity on this!

    By default, the subscriber level CAN only “read” events.

    However, when you set the “Allow users to edit their submissions” option in Community Events to true, this adds two additional capabilities to the user regardless of their admin role:

    • edit_tribe_events
    • edit_tribe_venues

    As their name implies, these capabilities allow the user to edit their events and venues.

    This does NOT get applied to all users of the subscriber level. This only happens on a per-user basis for users who submit events.

    I hope this information helps!
    George

    March 2, 2016 at 4:47 pm #1084641
    Mad Dog
    Participant

    Oh……that all makes sense and I was going to say that Subscribers should never be able to add events, but I think I know what’s happening….

    I have an odd set-up on this site because it shares legacy Perl scripts (don’t ask!) and have a “general user” that’s a Subscriber that I’m actually using to restrict people from some legacy members pages. (I told you not to ask!) I realize that somewhere along the way an event was added using that username so now anyone using that default member can edit.

    If I delete all events for that subscriber, will that stop them from being able to add new events? Or once that door’s open does it stay open?

    Hope I’m making sense…

    MD

    March 2, 2016 at 5:47 pm #1084653
    Mad Dog
    Participant

    Thinking about this a few minutes, is the actual answer to UNCHECK that, then use Members Role Editor to only allow (in our case) Admin and Teacher roles event creating and editing rights, and then Subscribers will only be able to read them?

    March 3, 2016 at 10:32 am #1084928
    George
    Participant

    Hey Mad Dog,

    Deleting events from a subscriber with edit access will not reset their permissions.

    But unchecking the “Allow users to edit their submissions” option should do that.

    As far as Members Role Editor and such, this indeed may be a great solution as long the Community Events settings are set with “Allow users to edit their submissions” un-checked.

    You may have to tinker around a bit with that Members Role Editor plugin and such, Mad Dog. We unfortunately cannot help here, because our plugins simply extend the existing WordPress roles and such so to customize them is something you’ll have to take the reins on. But yes the solution you suggest does seem like it could work quite well for your needs.

    I wish you the best of luck with your customizing!

    George

    March 3, 2016 at 10:54 am #1084944
    Mad Dog
    Participant

    Sounds good and using Role Editor is no problem. By any chance do you have the event user capabilites anywhere? Role Editor lists them alphabetically and there can be a lot of them with different plugins so a concise list for me to make sure I’ve got all the needed ones would be handy.

    THANKS

    March 3, 2016 at 3:25 pm #1085070
    George
    Participant

    Hey @Mad Dog,

    Yes, we’ve got a list of all of the capabilities here → https://theeventscalendar.com/knowledgebase/admin-roles-and-permissions/

    🙂

    George

    March 3, 2016 at 3:58 pm #1085079
    Mad Dog
    Participant

    Perfect!

    Thanks

    March 3, 2016 at 4:00 pm #1085081
    George
    Participant

    🙂

    March 4, 2016 at 5:09 pm #1085411
    Mad Dog
    Participant

    Just so you know, and maybe it will help someone else at some point, I went with a different way of accomplishing this. Instead of getting into the Roles, because I realized I needed some error message, I changed event-list.php by wrapping the page in a conditional so only admins and teachers (the two roles who can post events/courses) can get to the page. Anyone else gets an “error” message.

    // Conditional so only Teachers and Admins see the list 
if( current_user_can('teacher') || current_user_can('administrator') ) { 
// End role exclusion

    Then the existing page code. Ending with:

    <?php 
// Rest of CONDITIONAL SO ONLY Teachers and Admins have access
} else { ?>
	<div class="no_subscriber">
	You must be an authorized Instructor or School<br />
	to add courses<br /><br />
	<a href='http://ourdomain.com/events/'>Click here to go back to the Course Listing</a>
	</div>
<?php } 
//END CONDITIONAL
?>

    Maybe not the nicest code (I could have used echo) but it works!

    MD

    March 7, 2016 at 2:30 pm #1086010
    George
    Participant

    Thanks for sharing this solution! 🙂

    Best of luck with your project,
    George

    March 22, 2016 at 9:35 am #1092418
    Support Droid
    Keymaster

    This topic has not been active for quite some time and will now be closed.

    If you still need assistance please simply open a new topic (linking to this one if necessary)
    and one of the team will be only too happy to help.

  • Author
    Posts
Viewing 12 posts - 1 through 12 (of 12 total)
  • The topic ‘Restricting roles isn't being restricted’ is closed to new replies.