caseproof / members Goto Github PK

Hi
facing an issue with required option validation for contact field which is bypassing some times with out any error
QSM version - latest
Browser - All

I created a role to enable one of the users to be able to create editors for their company website.
So this role adds the possibility to create users and add roles to them.
To my surprise the user with this role has the option to allow promoting themselves to administrator - or any other role - and also is capable of creating users adding all available roles in the system.
I could not find any documentation on this, but this seems to be a security problem ;-)

I am looking to create a new role: Membership Team that will allow users with the role to manage Member press users.

The only option/capabilities I see within Members is for Users.

What I need is the ability to expose the member press dashboard and grant read/write access to various part of it. How would one do so?

I noticed that the content blocker feature is incompatible with the bricks builder. This is most likely since it does not send its content through the_content.

However, there is a bricks filter one could utilize to achieve the same:

// Add bricks support to members
add_filter( 'bricks/frontend/render_data', function($content, $post, $area) {

    // Make sure members plugin is active
    if (!function_exists('members_content_permissions_protect')) {
        return $content;
    }

    if ($area != 'content') {
        return $content;
    }
    return members_content_permissions_protect($content);
}, 95, 3);

I did test this and i works. There might be some edge cases I am currently not aware of. The filter is documented here: https://academy.bricksbuilder.io/article/filter-bricks-frontend-render_data/

I would love to see this merged into the plugin. If I get some subtle hint where to best add the code, i will happily provide a pull request.

As of WordPress 5.9 wp.compose.withState is deprecated and instead wp.element.useState should be used.

useState was introduced in WordPress 5.2.

The minimum WordPress version would need to be increased in the readme, but I don't think that is unreasonable as WP 5.2 was released nearly three years ago.

Hi
I updated an old version 2.0.2 to the current one. The menu entry, which was under users, is gone. But there is as well no entry under settings (which should be called members).
My role is administraqtor, so it should be somewhere.
Can I correct this be uninstall-reinstall (which maybe resets all rights to default, so I can start fresh)?

There's currently a 50px width declared in

This causes an issue with longer translations like in German with "Aktivieren" for "Activate":

It doesn't seem like the width is necessary here and can be removed.

A 'select all' and select none' UI/UX pattern in the role editor would be appreciated.

I needed to create a role that nearly all permissions except for a handful; and it was mildly annoying to go through and create a role and clicking dozens of times.

I've been a big fan of Members for many years, and I appreciate the recent changes including rolling the add-ons into the free version of the plugin.

That said, the new plugin title reflects very poorly on this otherwise good quality plugin. It is spammy, its only purpose is for SEO, it cheapens the plugin, it's frankly embarrassing, and it makes me hesitate to any longer recommend the plugin to anyone because of its spammy title.

Imagine if every plugin had such spam in its title. What a nightmare.

Please, revert the title back to "Members" and add some class back to the plugin. Do your SEO elsewhere.

To display the Members meta box "content permissions" in the block editor I open the kebab menu (⋮) and go to options. The list of available options shows a block of svg-code instead of the option, only:

Tested on a local webserver with a plain vanilla WordPress 5.5.1 installation, default theme, no other plugins activated.

I'm an administrator and when I log into my own profile, the user roles checkbox no longer appears. By experimentation, this appears to be the case with only a person's own profile. Also, several of my user roles disappeared, though they can be reactivated if I have a different administrator add them.

I believe this problem began when the latest update was posted.

When I hit the Edit Page link from the black WP toolbar at the top of a page I get a series of warning messages flashed onto the screen and then get the normal editing page which seems to function properly. The messages are not up long enough to do a copy, but I have two screenshots, one using the WP administrator account and one a new site editor role with page edit caps, set up with Members.

Administrator
Site Editor

I am running a new install of Members on the current version of Wordpress using the Munk theme. I get the errors both on Firefox and when using an iPad

Active plugins:

• a3 Lazy Load
• Alfred, the Assistant
• Antispam Bee
• Broken Link Checker
• Easy Table of Contents
• Hide/Remove Metadata
• Kirki Customizer Framework
• Limit Login Attempts Reloaded
• Members
• Recent Posts Widget Extended
• Statify
• The Events Calendar
• TinyMCE Advanced
• WPForms Lite

I am new to Github, so apologies if I am doing this wrong.

Currently, Post/Page titles are still visible in search results and if the user visits the page directly. My preference would be that the user should not know that the post or page even exists if they do not have permission to view it.

If this fits with your vision for the plugin, then I have a pull request ready which will implement this. If not, fair enough! Either way an excellent plugin - easily the best of the capabilities plugins :-)

Hy,
Can you add a mass selection function for member roles by categories.

I posted (here) on the plugin's WordPress support forum last week, asking if the 3.1.4 changelog (it still only goes up to 3.1.3) could be shared, but haven't heard back from anyone. Could someone please share the changelog, so that we know what was changed or added or removed, etc.?

I use login shortcode but when user fill-in incorrect login/pass and press login it redirects to wp-login.php page and show error messages. Is it possible stay at the same page and see error messages below fields? I don't want the user to see the default WP login page.

When using the member plugin together with the auth0 plugin an infinite redirect loop is created.

The member plugin is configured to create a "private website". Meaning the plugin redirects as supposed to the login page, which in this case leads to getting redirected to the auth0 login page. When successfully authenticated there the user gets redirected to wordpress with some keys as parameters. I think at this point, members redirects the user back to the login page before the auth0 plugin can check for the parameters and set the auth cookie.

Sorry, couldn't find a single place that talks about this. So, what are the limitations on the free version? Will I face a limitation around the number of users, roles, or restricted pages?

I allowed a specific role of editing posts (Executives).

I can select the right authors from that role on quick edit mode but inside the post's block editor, all authors are available from different roles, like subscriber, editor etc

Could you update the change log, so we know what changes are being made? Thanks!

Deprecated dynamic properties (PHP 8.2+)

Plugin version: 3.2.5

These deprecation warnings appear in WP admin:

Creation of dynamic property Members\Admin\Settings_Page::$admin_pages is deprecated
wp-content/plugins/members/admin/class-settings.php:222

Creation of dynamic property Members\Admin\Settings_Page::$addons_page is deprecated
wp-content/plugins/members/admin/class-settings.php:225

Creation of dynamic property Members\Admin\Settings_Page::$payments_page is deprecated
wp-content/plugins/members/admin/class-settings.php:228

Creation of dynamic property Members\Admin\Settings_Page::$about_page is deprecated
wp-content/plugins/members/admin/class-settings.php:231

There are probably more in that file and in other files as well.

See: https://www.php.net/manual/en/migration82.deprecated.php
See: https://php.watch/versions/8.2/dynamic-properties-deprecated

Is this the upstream for WP Members?

https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-script-injection/

https://www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vulnerability-patched-in-wp-members-membership-plugin-500-bounty-awarded/

Are there any plans to patch the free version, too?

Hello--

When unchecking the Role Manager setting and then saving the settings, I had the following error thrown:

"Uncaught Error: Call to a member function template() on bool"

Specifically, the offending code is in members/admin/class-settings.php within the settings_page method.

public function settings_page() { ?>
 
        <div class="wrap">
            <h1><?php echo esc_html_x( 'Members', 'admin screen', 'members' ); ?></h1>
 
            **<?php $this->get_view( members_get_current_settings_view() )->template(); ?>**
 
        </div><!-- wrap -->
    <?php }

Interestingly, the Members side menu disappears from the admin menu as well, with no way to get it back. Deactivating or reactivating didn't help.

In exploring the plugin, what I've learned thus far is that the admin menu hooks inside the class-role-new.php class constructor are wrapped in a conditional that calls 'members_role_manager_enabled'. Obviously, this will return false when the role manager is disabled, and in turn, the Members parent menu page never gets registered or displayed. And with all Members functionality relocated under that parent menu page in 3.0, turning off the Role Manager essentially renders all plugin functionality inaccessible.

Hi there,

I think the license field in package.json should be updated to also say GPLv2.

Regards and thanks for the great work!

Hi,

Since upgrading to 3.2.1 we've observed a "blank" classic editor in some themes example. It happens for users in roles without the "manage options" capability while editing a post type that does not use gutenberg (e.g. WooCommerce products).

It looks like the culprit is several calls to $this->get()['active'] in class-notifications.php, but when get() returns an empty array (ie, when the has_access() is false), an error will result because there is no value for 'active'. The fix is editing the beginning of the get() method, such as:

    if ( ! self::has_access() ) {
      return [
        'active' => false,
      ];
    }

..so the array is initialized with a value for 'active' the other checks are looking for.

Happy to submit a PR!

Members roles don't work with forum and subforums pages created by plugin bbress forum
please check thanks

The SVG in this line is getting html escaped at some point which makes for an ugly display on the settings panel located in wordpress:

page > preferences > panels > additional

Hello,

I notice that if a user has multiple roles, he will have the capabilities of the role with the lesser capabilities. I would prefer he keep the capabilities of the « higher » role. How may I do that ?

https://github.com/caseproof/members/blob/1bf477fff500e305cecebfd93d54b591aaa56ad0/addons/members-acf-integration/src/Plugin.php#L246C1-L247C1

PHP Deprecated: Automatic conversion of false to array is deprecated in /plugins/members/addons/members-acf-integration/src/Plugin.php on line 246

This is a notice in PHP 8.1. It can be fixed by merging the array:

$args['supports'] = array_merge((array)$args['supports'], array('author'));

The documentation link in the plugin settings page links to an archived repository - Link

The Support Forum link in the plugin settings page links to an unsecure web page called Theme Hybrid - Link (Click at your own risk; This is here just to show what the link (on the plugin page) links to)

If someone Xs out of the question if we like the plugin you should respect the lack of an answer and stop pestering with the repeated prompt for an answer.

Your latest version results in the following when loading SVGs on the addons page:
PHP Parse error: syntax error, unexpected 'version' (T_STRING)

It is an issue in the file:
class-view-addons.php

Change:
<?php include members_plugin()->dir . "img/{$addon->name}.svg"; ?>

To:
<?php echo file_get_contents(members_plugin()->dir . "img/{$addon->name}.svg"); ?>

I created a custom post type event

// Register a new post type Events.

register_post_type('event', [
    'capability_type' => 'event',
    'map_meta_cap' => true,
    'supports' => ['title', 'editor', 'excerpt'],
    'rewrite' => ['slug' => 'events'],
    'has_archive' => true,
    'public' => true,
    'labels' => [
        'name' => 'Events',
        'add_new_item' => 'Add New Event',
        'edit_item' => 'Edit Event',
        'all_items' => 'All Events',
        'singular_name' => 'Event'
    ],
    'menu_icon' => 'dashicons-calendar'
]);

Then I added a new Role called "Event Planner" and gave it these permissions

General -> Read
Events -> edit_events, edit_others_events, delete_events, publish_events, read_private_events, delete_private_events, delete_published_events, delete_others_events, edit_private_events, edit_published_events.

and Assigned this role to a user from Users Roles -> Event Planner (only this role) and disabled the rest.

Now when I try to edit an event or create one with the Gutenberg Editor the browser crashes. not just for me but for a lot of people as well.

I had to remove the arg 'show_in_rest' => true to go back to classic Editor.
Is this a Bug or is there a work around this issue.

WordPress: Version 5.6
Members – Membership & User Role Editor Plugin: Version: 3.1.3
OS: Ubuntu 20.4
Chrome: Version 87.0.4280.88 (Official Build) (64-bit)

Hello,

I have both Members and Custom Post Type UI plugins installed and I'm facing an issue : In my role manager, and for my users of wp-admin, I can only grant or deny access to posts (globally speaking), but I would like to grant or deny access to custom posts types created, is it possible ?

Your message that appears constantly!!! on WP to rate the plugin is more than annoying!

Please don't!!!!!!!!!

Hi,

to the certain role I can add access to Read and Edit Others' Posts - this way users with this role can view all posts but edit only posts where he/she is the author.

But is it possible to show only posts where the person is the author? It would be cool to have similar capabilities like for Edit, so Read and Read Others' Posts.

Any ideas here?

Regards,
Zbyszek

Warning: in_array() expects parameter 2 to be array, bool given in /wp-content/plugins/members/members.php on line 446

On a new site get_option( 'members_active_addons' ) is FALSE and thus the !in_array() conditional fails.

I need to send an email if the a specific role is attribuited to an user. However the default wordpress action 'set_user_role' seems not to be called when using 'members'.
Also the:

do_action( ‘profile_update’, int $user_id, WP_User $old_user_data, array $userdata )

does not carry the new attribued role ( and neither can I retrieve using the $user_id, because at this point the user seems to still have the old roles).

Is there an action not documented called when changing, adding, editing an user's role? Looking trhought the code I could not see it.

Running more than multiple sites presents numerous challenges. There are so many details to stay on top of. It is especially challenging when trying to ensure that each site is configured with the same permissions. It would be very handy to be able to export a role or group of roles from one site then import these settings into another site to maintain consistency.

In addition these exports can be used for security scanning, by comparing a known good master config against newer config for changes and then alerting the site admin to investigate.

WPCLI tools would be ideal.

Wordpress ver. 5.7.2
Plugin ver. 3.1.5
PHP ver. 5.6.40

Not sure if could be an issue related with my current Php Ver. but the thing is the the multiple Roles capabilites are missing completely (When Creating new user, Editing current user or in the user screen). There is no way to actually add more than one role to any user. Instead in the role section it shows a input which obviusly only let me give one input at a time. Also i am using a plugin related to users which is Expire Users (Ver. 1.2) but already troubleshoot by deactivating and checking for any changes, but issue persist. Please let me know if there is anything else that i would need to do, or if there is actually a normal issue with the current enviroments and we will need to downgrade to a previous versions. Thanks in advance!

Members 3.0.2 + Learndash + Instructor role:

Members doesn't save permissions for groups for role Instructor.
It was ok before update of Members

This is still an issue in the current version of the plugin.

https://wordpress.org/support/topic/hierarchical-roles-no-longer-have-lower-equal-or-lower-option/

Good day,

According to github security alerts, the latest version of the plugin has these security vulnerabilities

It is required to update these requirements in order to avoid security issues

Hello, thank you for your Plugin! I figured out, that php runs in a fatal error in backend, when a user role has no capabilities.
In this case throws function array_filter in /wp-includes/class-wp-user-query.php row 452 a fatal error because $role_data['capabilities'] is NULL instead of an array. I hotfixed it for me by changing the line into
$role_caps = is_array($role_data['capabilities']) ? array_keys( array_filter( $role_data['capabilities'] ) ) : [];
Perhaps there is a way to return an empty array for $role_data['capabilities'] instead of NULL in this case?
Thank you and best regards, likestor

Problem

As of now there are several deprecation notices when using PHP 8.2.

PHP Deprecated: Creation of dynamic property Members\Admin\Settings_Page::$admin_pages is deprecated in */wp-content/plugins/members/admin/class-settings.php on line 222
PHP Deprecated: Creation of dynamic property Members\Admin\Settings_Page::$addons_page is deprecated in */wp-content/plugins/members/admin/class-settings.php on line 225
PHP Deprecated: Creation of dynamic property Members\Admin\Settings_Page::$payments_page is deprecated in */wp-content/plugins/members/admin/class-settings.php on line 228
PHP Deprecated: Creation of dynamic property Members\Admin\Settings_Page::$about_page is deprecated in */wp-content/plugins/members/admin/class-settings.php on line 231

Solution

Declare the properties in the Settings_Page class.

final class Settings_Page {
    
    public array $admin_pages;
    
    public string $addons_page;
    
    public string $payments_page;
    
    public string $about_page;

    // ...............
}

I got this error trace all over my admin dashboard pages "Warning: Undefined array key "active" in /home/icelorid/staging.icel.or.id/wp-content/plugins/members/admin/class-notifications.php on line 414".

I guess there's an unchecked variable. It should be checked with isset() method or something like that. Please fix this, this site is for my client. I know I can just hide it when later I set the WP_DEBUG to false, but I'm worry it'll cause some issues.

Thanks.

This relates specifically to the "Members - Admin Access" plugin.

The following line includes a file called bootstrap/app.php:
https://github.com/caseproof/members/blob/develop/addons/members-admin-access/addon.php#L3

The intent here is to include the file in the addon folder. However in our case, we also have a boostrap/app.php file at the root of our theme (which bootstraps our framework).

What happens is that the require_once matches our file before it matches yours, breaking our site. From our end, we have renamed our app.php file to something else however I think it's worth being explicit with your require_once call by telling it to only look in the current directory:

So instead of this:

<?php

require_once( 'bootstrap/app.php' );

You do this:

<?php

require_once( __DIR__.'/bootstrap/app.php' );

It's a simple change that is backwards compatible and just prevents issues like this from cropping up.