Hi,
I believe I've found a bug with user roles in the CRED_Validator_User class on line 112-113 the only role checked is the first one if it exists which is not always the case.
$user_role_to_edit = isset( $_user->roles[0] ) ? strtolower( $_user->roles[0] ) : "";
$user_role_can_edit = json_decode( $form_fields['form_settings']->form['user_role'], true );
It seems the correct way would be array_intersect( $user_role_can_edit, $_user->roles ) given that more than one role can be editable.
Hi the issue is reported and I will get back to you if I have an update.
Along the way we might need you to replicate the issue on a clean installation thanks.
Hi,
I have the reply below from the second-tier support:
I ran some quick tests, and the code highlighted by the client wasn't triggered when it came to displaying an edit user form in the context of a user that had multiple roles assigned.
How are they adding multiple roles? With Access?
I found that the settings within the form (for the roles that can be edited) are overruled by the settings in Toolset > Access Control > Toolset Forms for the particular edit user form, I don't know if the client is using these.
So it seems we need to replicate the issue on a clean installation to be able ot have a clear steps to create the problem that we can share with the team.
I created a WordPress installation with Toolset plugins installed which you can login using the link below:
hidden link
I'd appreciate it if you could replicate the problem there and give us the steps to see the issue to follow up.
Thank you for your cooperation.
Sorry for the delay, I have just taken a look and wasn’t able to reproduce the exact issue but the end bug is the same.
If you assign a user multiple roles, (I gave mine all of the default ones for testing purposes), then create a form that can edit users and select one or more roles **except the first one** in the user wp_capabilities array the form will not allow editing.
On the test site, the user has the following:
```
a:5:{s:13:"administrator";b:1;s:6:"editor";b:1;s:10:"subscriber";b:1;s:6:"author";b:1;s:11:"contributor";b:1;}
```
If you check Test Form on the demo and try editing the user "demo" you will see an error message appear.
For information, the wp_capabilities data on my dev site is the following:
```
a:13:{s:26:"wpcf_custom_post_type_view";b:1;s:26:"wpcf_custom_post_type_edit";b:1;s:33:"wpcf_custom_post_type_edit_others";b:1;s:25:"wpcf_custom_taxonomy_view";b:1;s:25:"wpcf_custom_taxonomy_edit";b:1;s:32:"wpcf_custom_taxonomy_edit_others";b:1;s:22:"wpcf_custom_field_view";b:1;s:22:"wpcf_custom_field_edit";b:1;s:29:"wpcf_custom_field_edit_others";b:1;s:25:"wpcf_user_meta_field_view";b:1;s:25:"wpcf_user_meta_field_edit";b:1;s:32:"wpcf_user_meta_field_edit_others";b:1;s:13:"administrator";b:1;}
```
As “administrator” is not the first in the array, a user edit form with permission to edit that role still fails. As many plugins adjust roles and capabilities, the plugin shouldn't rely solely on the first key to check permissions.
Hope that helps. Have a nice weekend.
Hi,
I appreciate the message. The problem is that I can not report if there is no way to replicate the issue on the installation I provided.
If you manage to replicate the problem on a clean installation I will be able to report.
Thank you for your understanding.
Sorry, perhaps I wasn't clear in my last message. I have reproduced the bug with the roles on the demo site as explained in my reply, the conditions to trigger it are different to my local site but the bug is replicated on the demo form.
Hi,
Thank you for the message. So I tried to see if the form works or not and it does.
I used the test user that you have created and added many roles to it.
Now if I check the user form that you have created while I am logged n with the test user (the password is also test) the form submits with no issues.
I understand that you show the array and stuff but it does not have any error as you mentioned in the form so maybe if you could give me the exact steps to see the error I can help.
thanks.
Hi Christopher,
I have prepared a video that shows you the steps on your demo site. What is the best way to send you it?
Thanks
Hi,
Thank you very much. You can upload it to one of the online sharing services and paste the link in the next reply.
I usually use loom.com to create videos and it works well.
Thanks.
Hi,
Sorry for the delay, I've uploaded the video here for you:
hidden link
Hi,
Thank you for the video. I checked and the issue that you were encountering regarding the error message while submitting the edit form of the user was that in the settings of the form you did not set the Administrator role which is necessary for that user.
I explained the details here:
hidden link
Thanks.
Hi Christopher,
Thanks for the video, but the administrator role was left unchecked to demonstrate the bug. If the form is set to allow editing of the roles A, B or C and my user has roles B and C, it should be possible to edit the user.
As mentioned in my first post, only the first role is ever checked, which causes the bug as it ignores the case where users have more than one role or that the user's role to check may not be the first key in the array.
----
$user_role_to_edit = isset( $_user->roles[0] ) ? strtolower( $_user->roles[0] ) : "";
----
Thanks
mmm... Let me ask the second-tier support about that and get back to you.
Hi,
Thank you. The issue is reported to the development team.
There is no ETA for a fix.
I will inform you if there is any news.
Thanks.
