Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3490094

Timestamp:

03/24/2026 02:16:10 PM (5 days ago)

Author:

devpriyanshu

Message:

Release 1.0.2: fix taxonomy term create/edit access mapping and improve menu query-string matching

Location:

dp-admin-access-menu

Files:

: 3 edited
: 10 copied

tags/1.0.2 (copied) (copied from dp-admin-access-menu/trunk)
tags/1.0.2/assets (copied) (copied from dp-admin-access-menu/trunk/assets)
tags/1.0.2/assets/screenshots/icon-256x256.png (copied) (copied from dp-admin-access-menu/trunk/assets/screenshots/icon-256x256.png)
tags/1.0.2/deploy-to-svn.sh (copied) (copied from dp-admin-access-menu/trunk/deploy-to-svn.sh)
tags/1.0.2/dp-admin-access-menu.php (copied) (copied from dp-admin-access-menu/trunk/dp-admin-access-menu.php) (2 diffs)
tags/1.0.2/includes (copied) (copied from dp-admin-access-menu/trunk/includes)
tags/1.0.2/includes/class-dpama-menu-filter.php (copied) (copied from dp-admin-access-menu/trunk/includes/class-dpama-menu-filter.php) (10 diffs)
tags/1.0.2/languages (copied) (copied from dp-admin-access-menu/trunk/languages)
tags/1.0.2/readme.txt (copied) (copied from dp-admin-access-menu/trunk/readme.txt) (3 diffs)
tags/1.0.2/uninstall.php (copied) (copied from dp-admin-access-menu/trunk/uninstall.php)
trunk/dp-admin-access-menu.php (modified) (2 diffs)
trunk/includes/class-dpama-menu-filter.php (modified) (10 diffs)
trunk/readme.txt (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

dp-admin-access-menu/tags/1.0.2/dp-admin-access-menu.php

-                      r3487377
+                      r3490094
  * Plugin URI: https://wordpress.org/plugins/dp-admin-access-menu
  * Description: Control which WordPress backend menu items are visible to specific users. Perfect for managing user access and customizing admin experience.
  * Version: 1.0.1
+ * Version: 1.0.2
  * Author: devpriyanshu
  * Author URI: https://profiles.wordpress.org/devpriyanshu/
 …
 // Define plugin constants
 define('DPAMA_VERSION', '1.0.1');
+define('DPAMA_VERSION', '1.0.2');
 define('DPAMA_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('DPAMA_PLUGIN_URL', plugin_dir_url(__FILE__));

dp-admin-access-menu/tags/1.0.2/includes/class-dpama-menu-filter.php

-                      r3487377
+                      r3490094
         $allowed_menus = $settings[$current_user_id];
+        $normalized_allowed_menus = $this->normalize_menu_ids($allowed_menus);
         global $menu, $submenu;
 …
                 // Only show menus that are explicitly in the allowed list
                 if (!in_array($menu_id, $allowed_menus)) {
+                if (!$this->is_menu_allowed($menu_id, $normalized_allowed_menus)) {
                     // Mark for removal
                     $menus_to_remove[] = $menu_key;
 …
                             // Only show child menus that are explicitly in the allowed list
                             if (!in_array($submenu_id, $allowed_menus)) {
+                            if (!$this->is_menu_allowed($submenu_id, $normalized_allowed_menus)) {
                                 $children_to_remove[] = $submenu_key;
+                            }
 …
         $allowed_menus = $settings[$current_user_id];
+        $normalized_allowed_menus = $this->normalize_menu_ids($allowed_menus);
         // Get current page being accessed
 …
         foreach ($current_page_candidates as $candidate_page) {
             // Direct match
             if (in_array($candidate_page, $allowed_menus, true)) {
+            if ($this->is_menu_allowed($candidate_page, $normalized_allowed_menus)) {
                 $page_allowed = true;
                 break;
 …
             // Check for partial matches (for query string variations)
             foreach ($allowed_menus as $allowed_menu) {
+            foreach ($normalized_allowed_menus as $allowed_menu) {
                 // If current page starts with allowed menu or vice versa
                 if (strpos($candidate_page, $allowed_menu) === 0 || strpos($allowed_menu, $candidate_page) === 0) {
 …
+        }
         // For taxonomy pages
+        // For taxonomy listing/create pages
         if ($pagenow === 'edit-tags.php') {
             // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Not processing form data, just reading URL parameters
 …
             $post_type = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : 'post';
+            if ($post_type === 'post') {
+                return 'edit.php';
+            } elseif ($post_type === 'page') {
+                return 'edit.php?post_type=page';
+            } else {
+                return 'edit.php?post_type=' . $post_type;
+            }
+            if (!empty($taxonomy)) {
+                if ($post_type === 'post') {
+                    return 'edit-tags.php?taxonomy=' . $taxonomy;
+                }
+                return 'edit-tags.php?taxonomy=' . $taxonomy . '&post_type=' . $post_type;
+            }
+            // Fallback when taxonomy is missing.
+            return 'edit-tags.php';
+        }
+        // For taxonomy term edit pages (e.g. WooCommerce product category edit).
+        if ($pagenow === 'term.php') {
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Not processing form data, just reading URL parameter
+            $taxonomy = isset($_GET['taxonomy']) ? sanitize_text_field(wp_unslash($_GET['taxonomy'])) : '';
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Not processing form data, just reading URL parameter
+            $post_type = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : 'post';
+            if (!empty($taxonomy)) {
+                if ($post_type === 'post') {
+                    return 'term.php?taxonomy=' . $taxonomy;
+                }
+                return 'term.php?taxonomy=' . $taxonomy . '&post_type=' . $post_type;
+            }
+            return 'term.php';
+        }
 …
+        }
+        // Taxonomy listing/create pages should allow related term edit pages and vice versa.
+        if (strpos($current_page, 'edit-tags.php?taxonomy=') === 0) {
+            $candidates[] = str_replace('edit-tags.php?', 'term.php?', $current_page);
+        } elseif (strpos($current_page, 'term.php?taxonomy=') === 0) {
+            $candidates[] = str_replace('term.php?', 'edit-tags.php?', $current_page);
+        }
         return array_values(array_unique($candidates));
+    }
 …
         return $target_user_id > 0 && $target_user_id === (int) $superadmin_id;
+    }
+    /**
+     * Normalize a list of menu IDs for reliable matching.
+     *
+     * @param array $menu_ids Raw menu IDs.
+     * @return array
+     */
+    private function normalize_menu_ids($menu_ids) {
+        if (!is_array($menu_ids)) {
+            return array();
+        }
+        $normalized = array();
+        foreach ($menu_ids as $menu_id) {
+            $normalized[] = $this->normalize_menu_id($menu_id);
+        }
+        return array_values(array_unique(array_filter($normalized)));
+    }
+    /**
+     * Normalize one menu ID (slug + sorted query string).
+     *
+     * @param string $menu_id Raw menu ID.
+     * @return string
+     */
+    private function normalize_menu_id($menu_id) {
+        $menu_id = html_entity_decode((string) $menu_id, ENT_QUOTES, 'UTF-8');
+        if (strpos($menu_id, '?') === false) {
+            return $menu_id;
+        }
+        $parts = wp_parse_url($menu_id);
+        if (!is_array($parts) || empty($parts['path'])) {
+            return $menu_id;
+        }
+        if (empty($parts['query'])) {
+            return $parts['path'];
+        }
+        $query_args = array();
+        wp_parse_str($parts['query'], $query_args);
+        ksort($query_args);
+        return $parts['path'] . '?' . http_build_query($query_args, '', '&');
+    }
+    /**
+     * Check if menu slug is in the allowed list.
+     *
+     * @param string $menu_id Menu slug to validate.
+     * @param array  $normalized_allowed_menus Normalized allowed menu IDs.
+     * @return bool
+     */
+    private function is_menu_allowed($menu_id, $normalized_allowed_menus) {
+        $normalized_menu_id = $this->normalize_menu_id($menu_id);
+        return in_array($normalized_menu_id, $normalized_allowed_menus, true);
+    }
+}

dp-admin-access-menu/tags/1.0.2/readme.txt

-                      r3487377
+                      r3490094
 Requires at least: 5.0
 Tested up to: 6.9
 Stable tag: 1.0.1
+Stable tag: 1.0.2
 Requires PHP: 7.0
 License: GPLv2 or later
 …
 == Changelog ==
+= 1.0.2 =
+* Fixed taxonomy access mapping so allowed Category/Tag permissions correctly allow create and edit term pages (`edit-tags.php` and `term.php`) including WooCommerce product taxonomies.
+* Improved normalized matching for menu slugs with query parameters to avoid false permission denials.
 = 1.0.1 =
 * Fixed user management access mapping so Users menu access correctly allows `user-edit.php` and `user-new.php`.
 …
 == Upgrade Notice ==
+= 1.0.2 =
+Fixes Category/Tag create-edit permissions for taxonomy pages and improves query-string menu matching.
 = 1.0.1 =
 Fixes user edit access behavior for allowed Users menu and adds stricter superadmin account protection.

dp-admin-access-menu/trunk/dp-admin-access-menu.php

-                      r3487377
+                      r3490094
  * Plugin URI: https://wordpress.org/plugins/dp-admin-access-menu
  * Description: Control which WordPress backend menu items are visible to specific users. Perfect for managing user access and customizing admin experience.
  * Version: 1.0.1
+ * Version: 1.0.2
  * Author: devpriyanshu
  * Author URI: https://profiles.wordpress.org/devpriyanshu/
 …
 // Define plugin constants
 define('DPAMA_VERSION', '1.0.1');
+define('DPAMA_VERSION', '1.0.2');
 define('DPAMA_PLUGIN_DIR', plugin_dir_path(__FILE__));
 define('DPAMA_PLUGIN_URL', plugin_dir_url(__FILE__));

dp-admin-access-menu/trunk/includes/class-dpama-menu-filter.php

-                      r3487377
+                      r3490094
         $allowed_menus = $settings[$current_user_id];
+        $normalized_allowed_menus = $this->normalize_menu_ids($allowed_menus);
         global $menu, $submenu;
 …
                 // Only show menus that are explicitly in the allowed list
                 if (!in_array($menu_id, $allowed_menus)) {
+                if (!$this->is_menu_allowed($menu_id, $normalized_allowed_menus)) {
                     // Mark for removal
                     $menus_to_remove[] = $menu_key;
 …
                             // Only show child menus that are explicitly in the allowed list
                             if (!in_array($submenu_id, $allowed_menus)) {
+                            if (!$this->is_menu_allowed($submenu_id, $normalized_allowed_menus)) {
                                 $children_to_remove[] = $submenu_key;
+                            }
 …
         $allowed_menus = $settings[$current_user_id];
+        $normalized_allowed_menus = $this->normalize_menu_ids($allowed_menus);
         // Get current page being accessed
 …
         foreach ($current_page_candidates as $candidate_page) {
             // Direct match
             if (in_array($candidate_page, $allowed_menus, true)) {
+            if ($this->is_menu_allowed($candidate_page, $normalized_allowed_menus)) {
                 $page_allowed = true;
                 break;
 …
             // Check for partial matches (for query string variations)
             foreach ($allowed_menus as $allowed_menu) {
+            foreach ($normalized_allowed_menus as $allowed_menu) {
                 // If current page starts with allowed menu or vice versa
                 if (strpos($candidate_page, $allowed_menu) === 0 || strpos($allowed_menu, $candidate_page) === 0) {
 …
+        }
         // For taxonomy pages
+        // For taxonomy listing/create pages
         if ($pagenow === 'edit-tags.php') {
             // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Not processing form data, just reading URL parameters
 …
             $post_type = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : 'post';
+            if ($post_type === 'post') {
+                return 'edit.php';
+            } elseif ($post_type === 'page') {
+                return 'edit.php?post_type=page';
+            } else {
+                return 'edit.php?post_type=' . $post_type;
+            }
+            if (!empty($taxonomy)) {
+                if ($post_type === 'post') {
+                    return 'edit-tags.php?taxonomy=' . $taxonomy;
+                }
+                return 'edit-tags.php?taxonomy=' . $taxonomy . '&post_type=' . $post_type;
+            }
+            // Fallback when taxonomy is missing.
+            return 'edit-tags.php';
+        }
+        // For taxonomy term edit pages (e.g. WooCommerce product category edit).
+        if ($pagenow === 'term.php') {
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Not processing form data, just reading URL parameter
+            $taxonomy = isset($_GET['taxonomy']) ? sanitize_text_field(wp_unslash($_GET['taxonomy'])) : '';
+            // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Not processing form data, just reading URL parameter
+            $post_type = isset($_GET['post_type']) ? sanitize_text_field(wp_unslash($_GET['post_type'])) : 'post';
+            if (!empty($taxonomy)) {
+                if ($post_type === 'post') {
+                    return 'term.php?taxonomy=' . $taxonomy;
+                }
+                return 'term.php?taxonomy=' . $taxonomy . '&post_type=' . $post_type;
+            }
+            return 'term.php';
+        }
 …
+        }
+        // Taxonomy listing/create pages should allow related term edit pages and vice versa.
+        if (strpos($current_page, 'edit-tags.php?taxonomy=') === 0) {
+            $candidates[] = str_replace('edit-tags.php?', 'term.php?', $current_page);
+        } elseif (strpos($current_page, 'term.php?taxonomy=') === 0) {
+            $candidates[] = str_replace('term.php?', 'edit-tags.php?', $current_page);
+        }
         return array_values(array_unique($candidates));
+    }
 …
         return $target_user_id > 0 && $target_user_id === (int) $superadmin_id;
+    }
+    /**
+     * Normalize a list of menu IDs for reliable matching.
+     *
+     * @param array $menu_ids Raw menu IDs.
+     * @return array
+     */
+    private function normalize_menu_ids($menu_ids) {
+        if (!is_array($menu_ids)) {
+            return array();
+        }
+        $normalized = array();
+        foreach ($menu_ids as $menu_id) {
+            $normalized[] = $this->normalize_menu_id($menu_id);
+        }
+        return array_values(array_unique(array_filter($normalized)));
+    }
+    /**
+     * Normalize one menu ID (slug + sorted query string).
+     *
+     * @param string $menu_id Raw menu ID.
+     * @return string
+     */
+    private function normalize_menu_id($menu_id) {
+        $menu_id = html_entity_decode((string) $menu_id, ENT_QUOTES, 'UTF-8');
+        if (strpos($menu_id, '?') === false) {
+            return $menu_id;
+        }
+        $parts = wp_parse_url($menu_id);
+        if (!is_array($parts) || empty($parts['path'])) {
+            return $menu_id;
+        }
+        if (empty($parts['query'])) {
+            return $parts['path'];
+        }
+        $query_args = array();
+        wp_parse_str($parts['query'], $query_args);
+        ksort($query_args);
+        return $parts['path'] . '?' . http_build_query($query_args, '', '&');
+    }
+    /**
+     * Check if menu slug is in the allowed list.
+     *
+     * @param string $menu_id Menu slug to validate.
+     * @param array  $normalized_allowed_menus Normalized allowed menu IDs.
+     * @return bool
+     */
+    private function is_menu_allowed($menu_id, $normalized_allowed_menus) {
+        $normalized_menu_id = $this->normalize_menu_id($menu_id);
+        return in_array($normalized_menu_id, $normalized_allowed_menus, true);
+    }
+}

dp-admin-access-menu/trunk/readme.txt

-                      r3487377
+                      r3490094
 Requires at least: 5.0
 Tested up to: 6.9
 Stable tag: 1.0.1
+Stable tag: 1.0.2
 Requires PHP: 7.0
 License: GPLv2 or later
 …
 == Changelog ==
+= 1.0.2 =
+* Fixed taxonomy access mapping so allowed Category/Tag permissions correctly allow create and edit term pages (`edit-tags.php` and `term.php`) including WooCommerce product taxonomies.
+* Improved normalized matching for menu slugs with query parameters to avoid false permission denials.
 = 1.0.1 =
 * Fixed user management access mapping so Users menu access correctly allows `user-edit.php` and `user-new.php`.
 …
 == Upgrade Notice ==
+= 1.0.2 =
+Fixes Category/Tag create-edit permissions for taxonomy pages and improves query-string menu matching.
 = 1.0.1 =
 Fixes user edit access behavior for allowed Users menu and adds stricter superadmin account protection.

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory