Empty settings page for users with custom role having the manage_options capability

[rvdsteege]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the plugin and it is still present.

WordPress version

6.4.3

Cloudflare-WordPress version

4.12.6

PHP version

7.4.33

Expected result

A user with a custom role which has the manage_options capability, being able to purge the cache through the Settings → Cloudflare page.

Actual result

When clicking the "Cloudflare" admin menu item, an empty page is displayed and CONFIG_FETCH_ERROR and ZONES_FETCH_ERRORS errors occur in the console.

Steps to reproduce

1. Create a user with custom role, having the manage_options capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)
2. Visit Settings → Cloudflare

Additional factoids

It appears that the changes from #529 are causing the issues (released in version 4.12.3). The "Cloudflare" admin menu item requires the manage_options capability and the WordPress AJAX action cloudflare_proxy — which seems needed to load the settings page — is checking for the administrator role.

Cloudflare-WordPress/src/WordPress/Hooks.php

Lines 82 to 87 in dd13e15

	public function cloudflareConfigPage()
	{
	if (function_exists('add_options_page')) {
	add_options_page(__('Cloudflare Configuration'), __('Cloudflare'), 'manage_options', 'cloudflare', array($this, 'cloudflareIndexPage'));
	}
	}

Cloudflare-WordPress/src/WordPress/Proxy.php

Lines 56 to 60 in dd13e15

	public function run()
	{
	if (!$this->wordpressAPI->isCurrentUserAdministrator()) {
	return;
	}

It might be better to check against the manage_options capability in the proxy too, so both will be checking the same requirement to access the settings page.

---

Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using current_user_can() is discouraged:

While checking against particular roles in place of a capability is supported in part, this practice is discouraged as it may produce unreliable results.

Cloudflare-WordPress/src/WordPress/WordPressAPI.php

Lines 159 to 165 in dd13e15

	/**
	* @return boolean
	*/
	public function isCurrentUserAdministrator()
	{
	return $this->wordPressWrapper->currentUserCan('administrator');
	}

Cloudflare-WordPress/src/WordPress/WordPressWrapper.php

Lines 39 to 42 in 58db13b

	public function currentUserCan($capabilities)
	{
	return current_user_can($capabilities);
	}

References

#529

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[remcotolsma]

Is there someone from the @cloudflare team who can review the PR and merge it if possible?

[rvdsteege]

As I have not heard anything since opening this issue in April, I reported it through Cloudflare support. The case ID is 01317769.

[rvdsteege]

I've received reply (March 24, 2025 at 2:53 AM) in the support case that this plugin is not maintained anymore:

We are not maintaining the APO plugin at the moment, so you will not see an updated version soon.

Unfortunately, this issue will persist then.

[jordantrizz]

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.