Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3487377

Timestamp:

03/20/2026 05:48:07 PM (9 days ago)

Author:

devpriyanshu

Message:

Release 1.0.1: fix user-edit/users access mapping and protect superadmin account editing

Location:

dp-admin-access-menu

Files:

: 4 edited
: 9 copied

tags/1.0.1 (copied) (copied from dp-admin-access-menu/trunk)
tags/1.0.1/assets (copied) (copied from dp-admin-access-menu/trunk/assets)
tags/1.0.1/assets/screenshots/icon-256x256.png (copied) (copied from dp-admin-access-menu/trunk/assets/screenshots/icon-256x256.png)
tags/1.0.1/deploy-to-svn.sh (copied) (copied from dp-admin-access-menu/trunk/deploy-to-svn.sh)
tags/1.0.1/dp-admin-access-menu.php (copied) (copied from dp-admin-access-menu/trunk/dp-admin-access-menu.php) (2 diffs)
tags/1.0.1/includes (copied) (copied from dp-admin-access-menu/trunk/includes)
tags/1.0.1/includes/class-dpama-menu-filter.php (modified) (2 diffs)
tags/1.0.1/languages (copied) (copied from dp-admin-access-menu/trunk/languages)
tags/1.0.1/readme.txt (copied) (copied from dp-admin-access-menu/trunk/readme.txt) (3 diffs)
tags/1.0.1/uninstall.php (copied) (copied from dp-admin-access-menu/trunk/uninstall.php)
trunk/dp-admin-access-menu.php (modified) (2 diffs)
trunk/includes/class-dpama-menu-filter.php (modified) (2 diffs)
trunk/readme.txt (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

dp-admin-access-menu/tags/1.0.1/dp-admin-access-menu.php

-                      r3440518
+                      r3487377
  * Plugin URI: https://wordpress.org/plugins/dp-admin-access-menu
  * Description: Control which WordPress backend menu items are visible to specific users. Perfect for managing user access and customizing admin experience.
  * Version: 1.0.0
+ * Version: 1.0.1
  * Author: devpriyanshu
  * Author URI: https://profiles.wordpress.org/devpriyanshu/
 …
 // Define plugin constants
 define('DPAMA_VERSION', '1.0.0');
+define('DPAMA_VERSION', '1.0.1');
 define('DPAMA_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('DPAMA_PLUGIN_URL', plugin_dir_url(__FILE__));

dp-admin-access-menu/tags/1.0.1/includes/class-dpama-menu-filter.php

-                      r3440518
+                      r3487377
+        }
+        // Protect superadmin profile from being edited by non-superadmin users.
+        if ($this->is_editing_superadmin_user($current_page, $superadmin_id)) {
+            wp_die(
+                esc_html__('You do not have permission to access this page.', 'dp-admin-access-menu'),
+                esc_html__('Access Denied', 'dp-admin-access-menu'),
+                array('response' => 403)
+            );
+        }
         // Check if current page is in allowed menus
         // Also check variations (e.g., edit.php vs edit.php?post_type=page)
         $page_allowed = false;
+        // Direct match
+        if (in_array($current_page, $allowed_menus)) {
+            $page_allowed = true;
+        } else {
+        $current_page_candidates = $this->get_page_access_candidates($current_page);
+        foreach ($current_page_candidates as $candidate_page) {
+            // Direct match
+            if (in_array($candidate_page, $allowed_menus, true)) {
+                $page_allowed = true;
+                break;
+            }
             // Check for partial matches (for query string variations)
             foreach ($allowed_menus as $allowed_menu) {
                 // If current page starts with allowed menu or vice versa
                 if (strpos($current_page, $allowed_menu) === 0 || strpos($allowed_menu, $current_page) === 0) {
+                if (strpos($candidate_page, $allowed_menu) === 0 || strpos($allowed_menu, $candidate_page) === 0) {
                     $page_allowed = true;
                     break;
+                }
                 // Handle edit.php variations
                 if (($current_page === 'edit.php' && $allowed_menu === 'edit.php') ||
                     (strpos($current_page, 'edit.php') === 0 && strpos($allowed_menu, 'edit.php') === 0)) {
+                if (($candidate_page === 'edit.php' && $allowed_menu === 'edit.php') ||
+                    (strpos($candidate_page, 'edit.php') === 0 && strpos($allowed_menu, 'edit.php') === 0)) {
                     $page_allowed = true;
                     break;
+                }
+            }
+            if ($page_allowed) {
+                break;
+            }
+        }
 …
         return '';
+    }
+    /**
+     * Return equivalent admin page slugs that should share access rules.
+     *
+     * @param string $current_page Current resolved admin page slug.
+     * @return array
+     */
+    private function get_page_access_candidates($current_page) {
+        $candidates = array($current_page);
+        // User Management aliases:
+        // user-edit.php and user-new.php are children of Users menu (users.php).
+        if ($current_page === 'user-edit.php' || $current_page === 'user-new.php') {
+            $candidates[] = 'users.php';
+        } elseif ($current_page === 'users.php') {
+            $candidates[] = 'user-edit.php';
+            $candidates[] = 'user-new.php';
+        }
+        return array_values(array_unique($candidates));
+    }
+    /**
+     * Check whether current request tries to edit superadmin user profile.
+     *
+     * @param string $current_page Current resolved admin page slug.
+     * @param int    $superadmin_id Superadmin user ID.
+     * @return bool
+     */
+    private function is_editing_superadmin_user($current_page, $superadmin_id) {
+        if ($current_page !== 'user-edit.php' || empty($superadmin_id)) {
+            return false;
+        }
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only access check.
+        $target_user_id = isset($_GET['user_id']) ? absint($_GET['user_id']) : 0;
+        return $target_user_id > 0 && $target_user_id === (int) $superadmin_id;
+    }
+}

dp-admin-access-menu/tags/1.0.1/readme.txt

-                      r3440518
+                      r3487377
 Requires at least: 5.0
 Tested up to: 6.9
 Stable tag: 1.0.0
+Stable tag: 1.0.1
 Requires PHP: 7.0
 License: GPLv2 or later
 …
 == Changelog ==
+= 1.0.1 =
+* Fixed user management access mapping so Users menu access correctly allows `user-edit.php` and `user-new.php`.
+* Added protection to block non-superadmin users from editing the superadmin account.
 = 1.0.0 =
 * Initial release
 …
 == Upgrade Notice ==
+= 1.0.1 =
+Fixes user edit access behavior for allowed Users menu and adds stricter superadmin account protection.
 = 1.0.0 =
 Initial release of DP Admin Access Menu. Install to start controlling which menu items are visible to specific users.

dp-admin-access-menu/trunk/dp-admin-access-menu.php

-                      r3440518
+                      r3487377
  * Plugin URI: https://wordpress.org/plugins/dp-admin-access-menu
  * Description: Control which WordPress backend menu items are visible to specific users. Perfect for managing user access and customizing admin experience.
  * Version: 1.0.0
+ * Version: 1.0.1
  * Author: devpriyanshu
  * Author URI: https://profiles.wordpress.org/devpriyanshu/
 …
 // Define plugin constants
 define('DPAMA_VERSION', '1.0.0');
+define('DPAMA_VERSION', '1.0.1');
 define('DPAMA_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('DPAMA_PLUGIN_URL', plugin_dir_url(__FILE__));

dp-admin-access-menu/trunk/includes/class-dpama-menu-filter.php

-                      r3440518
+                      r3487377
+        }
+        // Protect superadmin profile from being edited by non-superadmin users.
+        if ($this->is_editing_superadmin_user($current_page, $superadmin_id)) {
+            wp_die(
+                esc_html__('You do not have permission to access this page.', 'dp-admin-access-menu'),
+                esc_html__('Access Denied', 'dp-admin-access-menu'),
+                array('response' => 403)
+            );
+        }
         // Check if current page is in allowed menus
         // Also check variations (e.g., edit.php vs edit.php?post_type=page)
         $page_allowed = false;
+        // Direct match
+        if (in_array($current_page, $allowed_menus)) {
+            $page_allowed = true;
+        } else {
+        $current_page_candidates = $this->get_page_access_candidates($current_page);
+        foreach ($current_page_candidates as $candidate_page) {
+            // Direct match
+            if (in_array($candidate_page, $allowed_menus, true)) {
+                $page_allowed = true;
+                break;
+            }
             // Check for partial matches (for query string variations)
             foreach ($allowed_menus as $allowed_menu) {
                 // If current page starts with allowed menu or vice versa
                 if (strpos($current_page, $allowed_menu) === 0 || strpos($allowed_menu, $current_page) === 0) {
+                if (strpos($candidate_page, $allowed_menu) === 0 || strpos($allowed_menu, $candidate_page) === 0) {
                     $page_allowed = true;
                     break;
+                }
                 // Handle edit.php variations
                 if (($current_page === 'edit.php' && $allowed_menu === 'edit.php') ||
                     (strpos($current_page, 'edit.php') === 0 && strpos($allowed_menu, 'edit.php') === 0)) {
+                if (($candidate_page === 'edit.php' && $allowed_menu === 'edit.php') ||
+                    (strpos($candidate_page, 'edit.php') === 0 && strpos($allowed_menu, 'edit.php') === 0)) {
                     $page_allowed = true;
                     break;
+                }
+            }
+            if ($page_allowed) {
+                break;
+            }
+        }
 …
         return '';
+    }
+    /**
+     * Return equivalent admin page slugs that should share access rules.
+     *
+     * @param string $current_page Current resolved admin page slug.
+     * @return array
+     */
+    private function get_page_access_candidates($current_page) {
+        $candidates = array($current_page);
+        // User Management aliases:
+        // user-edit.php and user-new.php are children of Users menu (users.php).
+        if ($current_page === 'user-edit.php' || $current_page === 'user-new.php') {
+            $candidates[] = 'users.php';
+        } elseif ($current_page === 'users.php') {
+            $candidates[] = 'user-edit.php';
+            $candidates[] = 'user-new.php';
+        }
+        return array_values(array_unique($candidates));
+    }
+    /**
+     * Check whether current request tries to edit superadmin user profile.
+     *
+     * @param string $current_page Current resolved admin page slug.
+     * @param int    $superadmin_id Superadmin user ID.
+     * @return bool
+     */
+    private function is_editing_superadmin_user($current_page, $superadmin_id) {
+        if ($current_page !== 'user-edit.php' || empty($superadmin_id)) {
+            return false;
+        }
+        // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Read-only access check.
+        $target_user_id = isset($_GET['user_id']) ? absint($_GET['user_id']) : 0;
+        return $target_user_id > 0 && $target_user_id === (int) $superadmin_id;
+    }
+}

dp-admin-access-menu/trunk/readme.txt

-                      r3440518
+                      r3487377
 Requires at least: 5.0
 Tested up to: 6.9
 Stable tag: 1.0.0
+Stable tag: 1.0.1
 Requires PHP: 7.0
 License: GPLv2 or later
 …
 == Changelog ==
+= 1.0.1 =
+* Fixed user management access mapping so Users menu access correctly allows `user-edit.php` and `user-new.php`.
+* Added protection to block non-superadmin users from editing the superadmin account.
 = 1.0.0 =
 * Initial release
 …
 == Upgrade Notice ==
+= 1.0.1 =
+Fixes user edit access behavior for allowed Users menu and adds stricter superadmin account protection.
 = 1.0.0 =
 Initial release of DP Admin Access Menu. Install to start controlling which menu items are visible to specific users.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory