On some of my WordPress sites I have users who were at some time Administrators but who are now at lower level user roles.
These users always have:
Additional Capabilities: gform_full_access
This even persists when I demote them to Subscriber role.
How do I remove these permissions from ex-administrators so that they no longer have access to Gravity Forms?
You can use a role management plugin like Members by Justin Tadlock. Using that, you can see all the roles and their capabilities and edit the capabilities for each role. There are other plugins out there which do the same thing, but Members is the one I am most familiar with.
So basically Gravity Forms has given full access permissions to even the lowest user roles and there is no built in way to revoke it?
This is a bit of a problem, no?
I'll check out Members, but it's a shame I have to go to another plugin to do this.
Those permissions are not given to the lowest user roles by default. I was trying to give you a tool to correct the problem right now, since I'm not sure how the roles remain after the role was downgraded. Gravity Forms has no built in role or capability management. I was trying to solve the problem you have now, then we can work out why it happened in the first place.
I hope this tool works for you.
Hi Chris, ok it's good to hear this is not the intended way for it to function.
I have installed the plugin Members but it is unable to solve my problem, or at least I am unable to find how to do it.
I am seeing the following on the bottom of the default WordPress edit user profile page for users with role of "Subscriber":
http://i.imgur.com/idb8c.png
In the Members plugin role editor (Users -> Roles) I select Subscriber and I see the following:
http://i.imgur.com/2tiB3.png
As you can see, all the Gravity Forms capabilities are disabled (unchecked), yet still these users have full access to all Gravity Forms functions.
Any ideas? Thanks.
@Prophet, please send me a WordPress administrator login for your site to chris@rocketgenius.com and I will take a look. Maybe there is something odd about these few users who were once administrators.
Just found this online:
http://wordpress.org/support/topic/plugin-user-role-editor-no-capabilities-for-gravity-forms?replies=6
I will ask the developers about this.
@Prophet, I emailed you. It appears the gform_full_access capability remains when you downgrade a user like you have. I manually reset the capabilities in the database. A subscriber should have these capabilities in the usermeta table:
a:1:{s:10:"subscriber";s:1:"1";}They inadvertently had these after being downgraded from admin to subscriber:
a:2:{s:17:"gform_full_access";s:1:"1";s:10:"subscriber";s:1:"1";}I have informed the developers. Thank you for bringing this to our attention.
I'm having the same problem, but I don't know how to change the usermeta table. Can I do this via phpmyadmin?
Yes, you can edit via phpMyAdmin. Please be sure to make a full backup of your database before making any edits there.
I am also having a problem with this and the gform_full_access is NOT a part of this user's capabilities. Some of my custom roles are inheriting gform editing capabilities, and some are not. None of them have any capabilities selected in a role management plugin. And I have made new test users with unique handles/emails - they were never admins, and yet they still get this capability. This is problematic.
http://www.gravityhelp.com/forums/topic/permissions-issues-dashboard-widgets-remain Per this post, I concur that after removing the capability "delete_user", this user no longer has full access to Gravity Forms! Which is, ultimately what I want to achieve in Gravity Forms. But not something I was wishing to remove from my Membership Manager role...
Mstar, does this solution work for you or are you looking to try something else?
I would like to add that this issue has very serious consequences on multisite installs. I'm working on a multisite project, and the following situation arises here.
In multisite mode, unlike in single site installs, users can have a role on any blog, or not (registered on the network dmin, not add to a subsite). This is stored in the usermeta key mentioned above. I have many occasions where the gform capabilities are the only on listed in that key, without a WP native capability like 'editor'.
Thus, lots of users on my site have gform_full_access, but no role on the same blog. This means they are linked to the blog, but because there's no role, they are not listed on the blog's users screen. This in turn means their profile can not be edited, and they can not be given a role on the blog. This seriously hinders user management.
We're trying to use as few plugins as possible, and would prefer not to use the Members plugin.
