Classified Member role and capabilities: users able to edit other users classified posts

I created a new user and set their role to classified members
I then logged into the classified member user account and posted a classified ad
In the left side bar navigation, there are 2 "classified" headers.
1) /wp-admin/edit.php?post_type=classifieds
2) /wp-admin/admin.php?page=classifieds

/wp-admin/edit.php?post_type=classifieds seems to be a super admin menu. It displays in a table, the logged in users classified posts, BUT in the header, it displays
Mine (#) | All (#) | Published (#) | Drafts (#)

If the classified member user clicks on the "All" link, they are directed to a table listing all users posts. From their they can scroll over the title to surface a menu
edit | quick edit | trash | view

This allows classifieds member 1 to edit or delete anyone's classified posts
OUCH!

  • soberhood
    • Flash Drive

    I uploaded the role editor plugin and have attached a screen shot of the out-of-the-box Classified Member capabilities

    it does appear to give them permission to edit_others_classifieds and delete_others_classifieds.

    what is the difference between:
    edit_classified / delete_classified
    and
    edit_classifieds / delete_classified

    there is also something called read_private_classifieds
    are these the users unpublished classifieds or other users unpublished classifieds

    thanks

  • soberhood
    • Flash Drive

    I forgot to add that via the User Role Editor I change the out-of-the-box settings by unchecking
    their ability to edit_others_classifieds and delete_others_classifieds

    When I tested this I was still able to get into another users edit page via
    /wp-admin/edit.php?post_type=classifieds / header /
    Mine (#) | All (#) | Published (#) | Drafts (#)

    When I try to save those edits, the system gives me a you do not have permission to do that message

    I would have not have expect a users to be able to get that far along in the process.

    Is there a reason a Classifieds Members has access to /wp-admin/edit.php?post_type=classifieds / header /?

    Perhaps if there is a super classified members users who could over ride a "bad player"

  • DavidM
    • DEV MAN’s Mascot

    Hi soberhood,

    In taking a closer look into the matter, the plugin has actually been designed for front-end access and the aforementioned capabilities wouldn't affect anything there, but would of course affect back-end access.

    We somewhat recently lost the core developer behind the Classifieds plugin and a new developer has been assigned to the task of development and updates. There's currently a lot of work being done on this plugin as a result, so I'll pass all of this information onto that developer for consideration.

    As for the edit_classifieds and edit_classified capabilities you mentioned, edit_classified is a meta-capability to be applied on a per post basis. It's all explained in the following.
    http://justintadlock.com/archives/2010/07/10/meta-capabilities-for-custom-post-types

    Cheers,
    David

  • Andrey
    • The Incredible Code Injector

    Hello @soberhood,

    Yes, I see this problem.

    And I saw the next:
    1. if you add one ad - you will see only your ads. (if you haven't any ads - you see all ads from all users)
    2. You can't change capabilities for classified_member - because after you've done it, and update the page - you will see that nothing has changed.

    I will look and fix it.

    Thank you.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.