Issues with deprecating the_seo_framework_settings_capability

  • Resolved Matthias Kittsteiner

    (@kittmedia)


    4 years, 5 months ago

    Hi there!

    In version 4.2.0 you’ve deprecated the usage of the_seo_framework_settings_capability in favor of the constant THE_SEO_FRAMEWORK_SETTINGS_CAP.

    While I’m able to transform that, the issue is that I cannot define the constant within a theme as it is already defined at this point. Thus, deprecating the_seo_framework_settings_capability leads to a function loss as I was able to filter the capability via theme before.

    Is there anything I was missing or is it intended to not be able anymore to change the capability by a theme?

    Best regards,
    Matthias

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Sybre Waaijer

    (@cybr)

    4 years, 5 months ago

    Hi Matthias!

    Your use-case (and now-issue) is exactly why I deprecated it: themes load after plugins. If TSF (or any other extension) tests for the settings capability, it might do that before the theme is loaded — ignoring your filter.

    I consider this a preventative security measure because there are higher capabilities available than manage_options on multisite networks which one might instate, such as manage_network. If that capability requirement gets downgraded to manage_options because the theme isn’t available (through any bypass), a surface to attack is exposed. This is not an issue _now_, but it might be in the future.

    I recommend using wp-config.php to register the constant. Otherwise, use a (mu-)plugin and register the constant before action plugins_loaded priority 5 (e.g., directly in the main plugin file).

    I hope this explains the lot! Cheers 🙂

    Thread Starter Matthias Kittsteiner

    (@kittmedia)

    4 years, 5 months ago

    Hi Sybre!

    got it, thank you for the explanation. 🙂

    Best regards,
    Matthias

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Issues with deprecating the_seo_framework_settings_capability’ is closed to new replies.