-
I would like to know what others are experiencing when setting up the default user level when someone registers a new account with regards to image uploading.
I don’t know if it’s a theme restriction or something in UserPro. It’s not making sense for it to be a theme restriction. Basically the only way I could get a successful upload of an image with in a post from the front end publisher is when the user was set to the editor level.
I’m not comfortable giving every one editor access, but the author level (the one it should be set to) will not allow an image to be uploaded. The editor displays the media button, but the upload fails.
My thought was, if the user level (role) allowed for the media button to show up on the post editor, shouldn’t hey have permission to upload? Would this be a bug then?
Thanks … Scott
UPDATE:
I was able to successfully set up a test site using the “Advanced Access Manager” with UserPro to allow the creation of custom roles as well as change access and a whole lot more. It’s actually overkill for what I want to do, but I like the interface, and it’s easy to manage. Plus, it didn’t break UserPro YEAH!!!
I am concerned though about the access level needed to upload an image. When editing the capabilities of the new role I set up I started by cloning the editor level and it all worked as expected. Once I removed the ability to edit or delete other posts and pages (thats all I changed) the role won’t allow an image upload.
Which brings me to another question, how do users edit their own published posts?
I’m using the twenty twelve theme on a brand new installation of WP 3.8
I believe I figured out the WHY … I just need a solution still
I learned the one item that caused the user level to fail when uploading images. The ability to edit others pages. The user needs the ability since the publishing short code adds the post editor to a page, WP thinks the user is editing the page, therefore they need access to edit pages that are not their own.
This presents a huge security risk, the user can now edit any page including the pages where the shortcodes are placed.
It’s unfortunate, this one item may end up rendering this plug in unusable for my site. I can handle stopping down access to the back end and allowing users to edit their posts, but if they have to have access to edit all pages, that just won’t work.
This presents a huge security risk, the user can now edit any page including the pages where the shortcodes are placed.
I am sorry, can you clarify at which UserPro feature this can happen? Thanks
I have shortcode of UserPro in this page, can you try to edit the page? I think I am missing something, or I am not getting it correctly.
I was using one of the default wordpress themes – twentytwelve – and that theme has edit links on all the pages for roles with the level of permission that is required to upload an image with the post editor. Clicking on the edit page link took me to the backend admin panel where I was able to load up any page in the backend editor.
The theme I will be using does not have those edit links, which I am assuming a lot of themes don’t, however, anyone familiar with WordPress could just enter in the proper edit string on the end of the URL and bypass the front end.
Here’s something to try on your site …
Go to your pages admin section when you’re logged in as admin, copy the edit link for your “My Profile” page. Mine looks like this … http://mywebsite.com/wp-admin/post.php?post=9&action=edit
Now, logout and log back in as a user (create a test account if you don’t have one) . Then paste that link into your browser and see if it opens the edit page, or if it redirects you.
… Scott
You must be logged in to reply to this topic.