simplify the capabilities (#97)

Software security is only for Administrators.
javiercasares · Aug 5, 2024 · 4f105bf · 4f105bf
2 parents 66d9da7 + 159f715
commit 4f105bf
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 36 deletions.
diff --git a/changelog.txt b/changelog.txt
@@ -1,5 +1,24 @@
 == Changelog ==
 
+= [3.3.2] - 2024-08-05 =
+
+**Fixed**
+
+* The Dashboard panel is availbale, again.
+
+**Compatibility**
+
+* WordPress: 4.1 - 6.7
+* PHP: 5.6 - 8.3
+* WP-CLI: 2.3.0 - 2.10.0
+
+**Tests**
+
+* PHP Coding Standards: 3.10.2
+* WordPress Coding Standards: 3.1.0
+* Plugin Check (PCP): 1.0.2
+* SonarCloud Code Review
+
 = [3.3.1] - 2024-08-02 =
 
 **Fixed**

diff --git a/readme.txt b/readme.txt
@@ -3,9 +3,9 @@ Contributors: javiercasares, davidperez, lbonomo, alexclassroom
 Tags: security, vulnerability, site-health
 Requires at least: 4.1
 Tested up to: 6.7
-Stable tag: 3.3.1
+Stable tag: 3.3.2
 Requires PHP: 5.6
-Version: 3.3.1
+Version: 3.3.2
 License: GPL-2.0-or-later
 License URI: https://spdx.org/licenses/GPL-2.0-or-later.html
 
@@ -115,11 +115,11 @@ First of all, peace of mind. Investigate what the vulnerability is and, above al
 
 == Changelog ==
 
-= [3.3.1] - 2024-08-02 =
+= [3.3.2] - 2024-08-05 =
 
 **Fixed**
 
-* Delete the wp_is_rest_endpoint check. Does not need it.
+* The Dashboard panel is availbale, again.
 
 **Compatibility**
 
@@ -134,17 +134,11 @@ First of all, peace of mind. Investigate what the vulnerability is and, above al
 * Plugin Check (PCP): 1.0.2
 * SonarCloud Code Review
 
-= [3.3.0] - 2024-08-02 =
-
-**Added**
-
-* Ability to exclude of vulnerability types at a global level.
-* WP-CLI commands formats (--format=[table,json]).
-* REST API endpoints (requires Application Password).
+= [3.3.1] - 2024-08-02 =
 
-**Changed**
+**Fixed**
 
-* README file.
+* Delete the wp_is_rest_endpoint check. Does not need it.
 
 **Compatibility**
 
@@ -159,30 +153,27 @@ First of all, peace of mind. Investigate what the vulnerability is and, above al
 * Plugin Check (PCP): 1.0.2
 * SonarCloud Code Review
 
-= [3.2.2] - 2024-07-27 =
+= [3.3.0] - 2024-08-02 =
 
 **Added**
 
-* Ability to configure a different From: email address for sending vulnerability notifications via `wp-config.php`.
+* Ability to exclude of vulnerability types at a global level.
+* WP-CLI commands formats (--format=[table,json]).
+* REST API endpoints (requires Application Password).
 
 **Changed**
 
-* The URL for the website now uses its own domain name.
-* Dashboard visibility is restricted to users with specific capabilities, similar to Site Health.
-
-**Fixed**
-
-* Various minor fixes to prevent warnings and potential errors due to misconfigured WordPress setups.
-* Allow loading of some necessary libraries.
+* README file.
 
 **Compatibility**
 
-* WordPress: 4.1 - 6.6
+* WordPress: 4.1 - 6.7
 * PHP: 5.6 - 8.3
 * WP-CLI: 2.3.0 - 2.10.0
 
 **Tests**
 
+* PHP Coding Standards: 3.10.2
 * WordPress Coding Standards: 3.1.0
 * Plugin Check (PCP): 1.0.2
 * SonarCloud Code Review
@@ -207,7 +198,7 @@ This plugin adheres to the following security measures and review protocols for
 
 == Vulnerabilities ==
 
-* No vulnerabilities have been published up to version 3.3.1.
+* No vulnerabilities have been published up to version 3.3.2.
 
 Found a security vulnerability? Please report it to us privately at the [WPVulnerability GitHub repository](https://github.com/javiercasares/wpvulnerability/security/advisories/new).
 

diff --git a/wpvulnerability-admin.php b/wpvulnerability-admin.php
@@ -9,8 +9,6 @@
 
 defined( 'ABSPATH' ) || die( 'No script kiddies please!' );
 
-wpvulnerability_capabilities();
-
 /**
  * Load the settings to be available always.
  *

diff --git a/wpvulnerability-adminms.php b/wpvulnerability-adminms.php
@@ -9,8 +9,6 @@
 
 defined( 'ABSPATH' ) || die( 'No script kiddies please!' );
 
-wpvulnerability_capabilities();
-
 /**
  * Load the settings to be available always.
  *

diff --git a/wpvulnerability-general.php b/wpvulnerability-general.php
@@ -23,16 +23,15 @@
 function wpvulnerability_capabilities() {
 
 	$user = wp_get_current_user();
-
-	if ( ! ( is_multisite() && ( is_network_admin() || is_main_site() ) && current_user_can( 'manage_network' ) && is_super_admin( $user->ID ) ) ) {
-		// Check if the user has network admin or main site admin capabilities in a multisite setup.
-		return false;
-	} elseif ( ! ( ! is_multisite() && is_admin() && current_user_can( 'manage_options' ) ) ) {
-		// Check if the user has admin capabilities in a single site setup.
-		return false;
+	if ( is_multisite() && ( is_network_admin() || is_main_site() ) && is_super_admin( $user->ID ) ) {
+		// In a WordPress Multisite, the user must be SuperAdmin.
+		return true;
+	} elseif ( ! is_multisite() && is_admin() ) {
+		// In a WordPress simple, the user must be Admin.
+		return true;
 	}
 
-	return true;
+	return false;
 }
 
 /**