0

I've defined a custom role in Woocommerce. This user ONLY needs access to urls to edit shop_orders and inspect individual shop orders. Like:

/wp-admin/edit.php?post_type=shop_order
/wp-admin/post.php?post=124&action=edit
/wp-admin/post-new.php?post_type=shop_order

If they go anywhere else I want to redirect them to:

/wp-admin/edit.php?post_type=shop_order

In effect they should only see orders, modify orders, and create orders. I've added all the right permissions for this, and modified the menus drastically so they can't see 'products', 'my profile', etc. However, if they accessed some links directly they would still load (the 'dashboard' for one and 'my settings'). Removing them from dashboard != removing access to them.

I'm trying to harden my security a bit by redirecting on everything except a few whitelisted routes with wildcards. Any thoughts on how to approach? Thanks.

4

1 回答 1

1

这听起来像是你可以用这个过滤器做的事情: https ://codex.wordpress.org/Plugin_API/Filter_Reference/user_has_cap

我对它的理解是,当 wordpress 查询用户是否有能力在网站上做某事时,例如edit_posts,您可以应用进一步的逻辑(在您的示例中,检查他们的角色是否是您定义的自定义角色)到如果您愿意,可以决定限制或增强该功能。在您的情况下,如果用户不符合您的标准(他们没有请求预定义的页面),您可以重定向。

快速概念证明(我认为):

function only_let_user100_see( $allcaps, $cap, $args ) {
  if($args[0] === 'edit_posts' && is_admin()) {
    if(get_current_user_id() !== 100) {
      echo "No way";
      exit;
    }
  } else {
    return $allcaps;
  }
}
add_filter( 'user_has_cap', 'only_let_user100_see', 10, 3 );
于 2018-03-25T00:55:24.187 回答