Support

Home Forums Roles and Permissions Add-ons (EE3) "Create post for an event" exceeds WP role capabilities (policy issue)

"Create post for an event" exceeds WP role capabilities (policy issue)

Posted: July 14, 2012 at 8:02 pm


Jim Schuyler

July 14, 2012 at 8:02 pm

A user logged in as an “Espresso Regional Manager” can create a new event and have EE create a new post within WP, and can assign it to any user, even though the underlying WP account does not have permission to create posts within the WP system. We specifically disallow all accounts other than admin accounts from creating posts on our site. However the regional manager can do this. The only permissions we grant to a regional manager are
– espresso event admin
– espresso event manager
– espresso group admin
– read
They cannot create posts within the usual WP structure, but EE does let them do this indirectly, which is a security/policy issue for us.

EE should respect WP account capabilities, including denying the ability to post if the user does not have that capability.

EE should not allow a user to assign the automatic post to another user unless the user’s role allows this. (See how WP handles capabilities)

In addition, I would suggest it would be best to simply not show this box in the -New Event- workflow if the user doesn’t have it as a capability.


Seth Shoultes

  • Support Staff

July 14, 2012 at 8:46 pm

Hi Jim,

Thanks for letting us know about this. We actually added a setting in the “User Permissions” page that should turn off the ability for users to create a post. However, it looks like it is not working for some reason. I will get it fixed asap.

In the meantime. You can remove the create a post stuff by editing the following files:
event-espresso/includes/event-management/add_new_event.php
event-espresso/includes/event-management/edit_event.php

The support post ‘"Create post for an event" exceeds WP role capabilities (policy issue)’ is closed to new replies.

Have a question about this support post? Create a new support post in our support forums and include a link to this existing support post so we can help you.

Support forum for the Roles and Permissions add-ons for EE3.

Status: closed

Updated by  Seth Shoultes 8 years, 3 months ago ago

Topic Tags

Notifications

This topic is: not resolved
Do NOT follow this link or you will be banned from the site!
[gravityform id=80 title=false description=false ajax=false]
<div class='gf_browser_unknown gform_wrapper' id='gform_wrapper_80' ><form method='post' enctype='multipart/form-data' id='gform_80' action='/topic/create-post-for-an-event-exceeds-wp-role-capabilities-policy-issue/'> <div class='gform_body'><ul id='gform_fields_80' class='gform_fields top_label form_sublabel_below description_below'><li id='field_80_1' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_80_1' >First name<span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_text'><input name='input_1' id='input_80_1' type='text' value='' class='medium' aria-required="true" aria-invalid="false" /></div></li><li id='field_80_2' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_80_2' >Email address<span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_email'> <input name='input_2' id='input_80_2' type='email' value='' class='medium' aria-required="true" aria-invalid="false" /> </div></li><li id='field_80_3' class='gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' >GDPR Agreement<span class='gfield_required'>*</span></label><div class='ginput_container ginput_container_checkbox'><ul class='gfield_checkbox' id='input_80_3'><li class='gchoice_80_3_1'> <input name='input_3.1' type='checkbox' value='I consent to have this website store my submitted information so they can respond to my inquiry.' id='choice_80_3_1' /> <label for='choice_80_3_1' id='label_80_3_1'>I consent to have this website store my submitted information so they can respond to my inquiry.</label> </li></ul></div></li><li id='field_80_4' class='gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible' ><label class='gfield_label' for='input_80_4' >Comments</label><div class='ginput_container'><input name='input_4' id='input_80_4' type='text' value='' autocomplete='off'/></div><div class='gfield_description' id='gfield_description_80_4'>This field is for validation purposes and should be left unchanged.</div></li> </ul></div> <div class='gform_footer top_label'> <input type='submit' id='gform_submit_button_80' class='gform_button button' value='Download Now' onclick='if(window["gf_submitting_80"]){return false;} if( !jQuery("#gform_80")[0].checkValidity || jQuery("#gform_80")[0].checkValidity()){window["gf_submitting_80"]=true;} ' onkeypress='if( event.keyCode == 13 ){ if(window["gf_submitting_80"]){return false;} if( !jQuery("#gform_80")[0].checkValidity || jQuery("#gform_80")[0].checkValidity()){window["gf_submitting_80"]=true;} jQuery("#gform_80").trigger("submit",[true]); }' /> <input type='hidden' class='gform_hidden' name='is_submit_80' value='1' /> <input type='hidden' class='gform_hidden' name='gform_submit' value='80' /> <input type='hidden' class='gform_hidden' name='gform_unique_id' value='' /> <input type='hidden' class='gform_hidden' name='state_80' value='WyJbXSIsIjBiNjdjZjkyMDUzOWUxOWY5Y2NiZjIwMzM4YjA1Mjk4Il0=' /> <input type='hidden' class='gform_hidden' name='gform_target_page_number_80' id='gform_target_page_number_80' value='0' /> <input type='hidden' class='gform_hidden' name='gform_source_page_number_80' id='gform_source_page_number_80' value='1' /> <input type='hidden' name='gform_field_values' value='' /> </div> </form> </div><script type='text/javascript'> jQuery(document).bind('gform_post_render', function(event, formId, currentPage){if(formId == 80) {} } );jQuery(document).bind('gform_post_conditional_logic', function(event, formId, fields, isInit){} );</script><script type='text/javascript'> jQuery(document).ready(function(){jQuery(document).trigger('gform_post_render', [80, 1]) } ); </script>
[i]
[i]