Wordpress-seo: WPSEO_Utils::grant_access doesn't take `wpseo_manage_options_capability` into account

Created on 19 Aug 2016 · 4Comments · Source: Yoast/wordpress-seo

What did you expect to happen?

Being able to change the capability for editing options using the filter wpseo_manage_options_capability.

What happened instead?

Not being able to edit the capability because WPSEO::grant_access returns current_user_can( 'manage_options' ).

How can we reproduce this behavior?

Use Multisite
Change the capability to publish_pages for example (some capability an Editor only has)
Try to visit the SEO Settings pages as an Editor.

Technical info

WordPress version: 4.6
Yoast SEO version: 3.4.2

Possible solution

Either supply the matching capability to WPSEO_Utils::grant_access or use get_manage_options_cap in WPSEO_Utils::grant_access (depending on how this relationship works, I'm not familiar with inner use of grant_access).

admin

Source

haroldangenent

👍3

Most helpful comment

Hi,

I just ran into this issue. Can we not, for now, update the current_user_can() line to pass 'manage_options' through the 'wpseo_manage_options_capability' filter? Feels like a possible easy win.

Thanks,
Faison

Faison on 20 Oct 2016

👍3

All 4 comments

Yeah, I follow your point.

Ugh. WPSEO_Utils::grant_access () is sort of a grand legacy mess of a check. It’s used all over, but it’s multisite only.

This should be done but it's not a trivial fix to untangle I think.

Rarst on 19 Aug 2016

Hi,

Thanks,
Faison

Faison on 20 Oct 2016

👍3

I just did a quick search through for instances of WPSEO_Utils::grant_access().

In places it is used in conjunction with current_user_can( 'manage_options' ) which is not filtered via the wpseo_manage_options_capability filter, so it would appear there may be some instances where the WPSEO_Utils::grant_access() capability should be filtered and some where it maybe should not (or possibly those instances of manage_options should also be filtered). e.g.:

$can_access = is_multisite() ? WPSEO_Utils::grant_access() : current_user_can( 'manage_options' );

Simply changing it to be filtered in WPSEO_Utils::grant_access() does seem to work but as @Rarst mentioned it does need some untangled and testing.

benhuson on 30 Jun 2017

current_user_can( 'manage_options' ) was changed to current_user_can( 'wpseo_manage_options' ) in the 2017, and I am also unable to track down any more usages of the grant_access() function. There is a Todo in that function to add a deprecation notice.

Closing this as it no longer seems relevant, but please leave a comment if I am mistaken.