DISALLOW_FILE_EDIT constant being ignored

In my wp-config.php file, I have the line:

define('DISALLOW_FILE_EDIT', true);

I always include this on all sites as standard, and it's always worked exactly as expected. However, I've only just noticed that on one client's site, it has stopped working.

They have the User Role Editor plugin that was set up to define a handful of custom roles. Once the roles were set up, the plugin was deactivated (it doesn't need to be active for the roles to exist) and all the caps for the roles are controlled via a custom plugin.

However, since the last plugin update, it looks like the wp_user_roles entry in the database has been updated, and administrator-level users now have access to the file editor for themes plugins, despite DISALLOW_FILE_EDIT still being defined as true.

I added a filter to one of my plugins that basically does the same thing as wp-includes/capabilities.php:

function vnmAdmin_preventFileEdits($required_caps, $cap, $user_id, $args) {

    $blocked_caps = array(
        'edit_files',
        'edit_plugins',
        'edit_themes',
    );

    if (in_array($cap, $blocked_caps)) {
        $required_caps[] = 'do_not_allow';
    }

    return $required_caps;
}

add_filter('map_meta_cap', 'vnmAdmin_preventFileEdits', 10, 4);

...but this still doesn't work. No matter what I do, I can't remove the edit_files/themes/plugins ability from administrator users. And I definitely want to.

Is there anything else I'm missing here?

Topic constants user-roles wp-config Wordpress

Category Web

1
answered at

This appeared to be the result of (what I assume) was the User Role Editor plugin being updated, and then directly affecting the wp_user_role field on the options table of the database, which somehow led to DISALLOW_FILE_EDIT being ignored.

I had to take several steps to fix this, as there were custom user roles I had created, as well as roles added by WooCommerce. The steps I took:

  • Copied the wp_user_roles field from the database, so that I had a serialised array of all the custom user roles to hand;
  • With the User Role Editor plugin active, went to Settings->User Role Editor, clicked on the Tools tab, then click the red Reset button (note the warnings about this resetting ALL user roles). After this was done, the plugin/theme file editor had disappeared - DISALLOW_FILE_EDIT was no longer being ignored.
  • Deactivated User Role Editor
  • Deactivated, then reactivated WooCommerce (to re-add the WooCommerce user roles like Customer & Shop Manager)
  • Wrote a custom plugin to add the roles that had previously been added by User Role Editor.

With regard to that last point: Because I'd saved a copy of the serialised array, I simply unserialised it and used the role information therein to create the custom roles I needed:

//  Activate the plugin

function myPlugin_install() {
    addCustomRoles();
}

register_activation_hook( __FILE__, 'myPlugin_install');

//  Add the custom roles

function addCustomRoles() {
    $userRolesArray = array();

    $userRolesArray['content_management'] = array(
        'name'  => 'Content Management',
        'capabilities'  => array(
            'level_0' => true,
            'level_1' => true,
            'level_2' => true,
            'level_3' => true,
            'edit_published_pages' => true,
            'edit_published_posts' => true,
            'edit_published_products' => true,
        )
    );

    $userRolesArray['content_consumer'] = array(
        'name'  => 'Content Consumer',
        'capabilities'  => array(
            //  etc.
        )
    );

    foreach($userRolesArray as $role=>$detailsArray) {

        $result = add_role(
            $role,
            $detailsArray['name'],
            $detailsArray['capabilities']
        );
    }
}

Then I deactivated & reactivated my custom plugin and boom, all of the user roles were back as before, and the file editor is disabled across all roles once more.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.