I am outsourcing some work and they are using the Theme Editor to add PHP to my site.

For example, this bit of code / is something that I have put into my theme - to invoke it you need to use the querystring /?geolocate_listings=1

This works fine when logged in as Admin role, however I made a custom Role called "TempCode" that has the Capability EditTheme which lets that user edit the theme fucntions.php file.

However, when they try to run it with /?geolocate_listings=1 when logged in as NON admin it just redirects to the home page.

So there's some permissions handler that is check if they have rights to execute that added PHP code - what is the Capability that I need to add to the role to allow them to run it?

I am outsourcing some work and they are using the Theme Editor to add PHP to my site.

For example, this bit of code https://docs.mylistingtheme/article/after-importing-listings-they-are-not-shown-in-explore-page/ is something that I have put into my theme - to invoke it you need to use the querystring http://Yoursite/?geolocate_listings=1

This works fine when logged in as Admin role, however I made a custom Role called "TempCode" that has the Capability EditTheme which lets that user edit the theme fucntions.php file.

However, when they try to run it with http://Yoursite/?geolocate_listings=1 when logged in as NON admin it just redirects to the home page.

So there's some permissions handler that is check if they have rights to execute that added PHP code - what is the Capability that I need to add to the role to allow them to run it?

• user-roles
• capabilities

Share Improve this question asked Jan 22, 2020 at 12:10 RodneyRodney 13377 bronze badges 4

• 1 Is there a reason you're making them use the built in editor? That editor is for hotfixes, it's not intended as a theme development tool. Is there a particular reason you aren't giving them appropriate access via shell or SFTP? Or access to a git repository so you can deploy yourself and retain full server control? – Tom J Nowell ♦ Commented Jan 22, 2020 at 14:14
• Yes,it is the quickest way to test a 10 min change without revealing the database or files. I agree with your comments though - once I have found the right person/team I can put a better workflow in place. – Rodney Commented Jan 22, 2020 at 19:40
• If they have access to edit the PHP then there's no point, they can just modify a file to call wp_create_user and create themselves an admin user to login with. They could replace a page templates code with a PHP shell and browse the filesystem and grab the database themselves, the ability to modify the PHP gives them the power to do anything they want on that server, I do hope there's no customer personal information in that database, or WP installs in other folders on the same server – Tom J Nowell ♦ Commented Jan 23, 2020 at 0:56
• Yes absolutely agree. Without going in to detail this is a quick hack to get past something. It minimizes the potential risk but all your points are spot on. – Rodney Commented Jan 23, 2020 at 1:04

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

WordPress does not have the ability to prevent code from running based on who added it. That's not the problem. The problem is far simpler: the code they added is specifically written to not work for anyone but administrators:

 if ( empty( $_GET['geolocate_listings'] ) || ! current_user_can( 'administrator' ) ) {
    return;
}

You can change 'administrator' to any capability that you want to control who can trigger this code.