A user logged in as an “Espresso Regional Manager” can create a new event and have EE create a new post within WP, and can assign it to any user, even though the underlying WP account does not have permission to create posts within the WP system. We specifically disallow all accounts other than admin accounts from creating posts on our site. However the regional manager can do this. The only permissions we grant to a regional manager are
– espresso event admin
– espresso event manager
– espresso group admin
– read
They cannot create posts within the usual WP structure, but EE does let them do this indirectly, which is a security/policy issue for us.
EE should respect WP account capabilities, including denying the ability to post if the user does not have that capability.
EE should not allow a user to assign the automatic post to another user unless the user’s role allows this. (See how WP handles capabilities)
In addition, I would suggest it would be best to simply not show this box in the -New Event- workflow if the user doesn’t have it as a capability.
Thanks for letting us know about this. We actually added a setting in the “User Permissions” page that should turn off the ability for users to create a post. However, it looks like it is not working for some reason. I will get it fixed asap.
In the meantime. You can remove the create a post stuff by editing the following files:
event-espresso/includes/event-management/add_new_event.php
event-espresso/includes/event-management/edit_event.php
Viewing 1 reply thread
The support post ‘"Create post for an event" exceeds WP role capabilities (policy issue)’ is closed to new replies.
Have a question about this support post? Create a new support post in our support forums and include a link to this existing support post so we can help you.
Support forum for the Roles and Permissions add-ons for EE3.