Multisite Non Super Admin New Event Redirect

  • Resolved John Russell

    (@laubsterboy)


    11 years, 11 months ago

    I have the Events Manager plugin (5.5.3.1) installed on WordPress 3.9 with multisite enabled, with all other plugins deactivated, yet if I try to create a new event (or recurring event) with incomplete meta information using a NON super admin account I get redirected to …/wp-admin/edit.php.

    Specifically, I am using a regular administrator account for the site and attempting to create a new event, setting only the event title (and leaving date/time/location empty), and then attempting to save as draft. At this point I should see warning messages that the event details are incorrect and need to be fixed before the event can be published, however instead no draft is saved and I am redirected to …/wp-admin/edit.php (Posts).

    I have several other users that will not receive super admin privileges, but I need them to be able to see these warnings rather than losing their newly created events.

    Please let me know if I need to explain anything in more detail.

    Thanks!

    https://ww.wp.xz.cn/plugins/events-manager/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter John Russell

    (@laubsterboy)

    11 years, 11 months ago

    After doing some more debugging I’ve found that this is specifically related to “Locations on main blog” set to “yes”. It appears that when the event is being saved it checks the current user capabilities, however it is checking the capabilities of the user on the main site, rather than the current (non-main) site.

    As an example, on the main site my test user is set to be a “subscriber” and on the non-main site the test user is set to be an “administrator”, however when performing the can_manage check (as part of saving the event) for “edit_locations” the check fails since subscribers do not have that capability.

    I don’t know if this is a bug, or if this is something that should be fixed. I understand why the capability check fails, however I don’t want to setup all administrators on non-main sites to be administrators on the main site.

    This is only a problem when creating an event and not entering a complete Event Location.

    Thread Starter John Russell

    (@laubsterboy)

    11 years, 11 months ago

    I was able to find the cause of the problem, but I don’t know that it’s a bug but rather a proper user capability check with a non-graceful failure.

    In EM 5.3.3.1 – classes/em-location.php line 284 checks to see if ‘dbem_ms_mainblog_locations’ is true and if so then runs ms_global_switch (in em-object.php) which runs switch_to_blog(main_blog_id). Then on line 285 it checks to see if the current user can_manage ‘edit_locations’ and ‘edit_others_locations’. In this case, since the blog was just switched to the main blog, the can_manage test fails since the user is only a subscriber on the main blog.

    This can_manage check is mentioned in the comments and makes sense, however there should be a more graceful failure (such as displaying a warning) rather than not saving the event or location when the location fields are left empty upon saving.

    For now what I have done to fix this is to add a mu-plugin that filters the ’em_location_can_manage’ hook, checking if the user has the proper capabilities on the current blog (rather than the main) and if so returns true.

    /*
* When locations are set to be global the current user
* account is checked against the current blog to see if
* the user has proper capabilities to edit locations
* and edit other users locations. If so $return is set
* to true, otherwise the existing $return value is
* returned.
*/
function em_location_can_manage_filter($return, $this, $owner_capability, $admin_capability, $user_to_check) {
	if (current_user_can($owner_capability) && current_user_can($admin_capability)) $return = true;

	return $return;
}
add_filter('em_location_can_manage', 'em_location_can_manage_filter', 10, 5);

    This resolves the problem, but also gives users the ability to edit global locations if they have the capability to edit locations on the current blog. In my case this is what I want anyway.

    There is still the problem with users who do not have the capability to edit locations not seeing warnings (and instead just being kicked to the Posts admin page) if they try to save a new event with a blank location. This is likely a rare situation in my case, so I’m going to mark this topic as resolved.

    Hopefully someone else find this useful.

    Thread Starter John Russell

    (@laubsterboy)

    11 years, 11 months ago

    I had to make a change to the mu-plugin

    /*
* When locations are set to be global the current user
* account is checked against the current blog to see if
* the user has proper capabilities to edit locations
* and edit other users locations. If so $return is set
* to true, otherwise the existing $return value is
* returned.
*/
function em_location_can_manage_filter($return, $this, $owner_capability, $admin_capability, $user_to_check) {
	global $switched;
	$blog_id = get_current_blog_id();
	$switch_back = false;

	if ($switched) {
		restore_current_blog();
		$switch_back = true;
	}

	if (current_user_can($owner_capability) && current_user_can($admin_capability)) $return = true;

	if ($switch_back) switch_to_blog($blog_id);

	return $return;
}
add_filter('em_location_can_manage', 'em_location_can_manage_filter', 10, 5);

    Also, this does in fact seem to be a bug after all, since the user is able to save the draft, but instead of returning to the newly created draft (after clicking save) the user is taken to the Posts admin page. Returning to the Events > Drafts page will display the new event, however not all meta data is saved.

    Maybe if the location information is empty it could be treated as if the event has no event location and therefore the capability checks would not be a problem. Just a thought.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Multisite Non Super Admin New Event Redirect’ is closed to new replies.