In my wp-config.php file, I’ve the road:
outline('DISALLOW_FILE_EDIT', true);
I all the time embrace this on all websites as commonplace, and it is all the time labored precisely as anticipated. Nonetheless, I’ve solely simply seen that on one consumer’s website, it has stopped working.
They’ve the Person Position Editor plugin that was set as much as outline a handful of customized roles. As soon as the roles had been arrange, the plugin was deactivated (it would not should be energetic for the roles to exist) and all of the caps for the roles are managed by way of a customized plugin.
Nonetheless, because the final plugin replace, it seems to be just like the wp_user_roles entry within the database has been up to date, and administrator-level customers now have entry to the file editor for themes & plugins, regardless of DISALLOW_FILE_EDIT nonetheless being outlined as true.
I added a filter to one in every of my plugins that mainly does the identical factor as wp-includes/capabilities.php:
perform vnmAdmin_preventFileEdits($required_caps, $cap, $user_id, $args) {
$blocked_caps = array(
'edit_files',
'edit_plugins',
'edit_themes',
);
if (in_array($cap, $blocked_caps)) {
$required_caps[] = 'do_not_allow';
}
return $required_caps;
}
add_filter('map_meta_cap', 'vnmAdmin_preventFileEdits', 10, 4);
…however this nonetheless would not work. It doesn’t matter what I do, I am unable to take away the edit_files/themes/plugins skill from administrator customers. And I undoubtedly wish to.
Is there anything I am lacking right here?