fix/dokan-menu-not-visible-for-editor-role

[rakib1904107]

All Submissions:

• My code follow the WordPress' coding standards
• My code satisfies feature requirements
• My code is tested
• My code passes the PHPCS tests
• My code has proper inline documentation
• I've included related pull request(s) (optional)
• I've included developer documentation (optional)
• I've added proper labels to this pull request

Changes proposed in this Pull Request:

Check only the current user's capability. If the required capability is missing, return early.

Related Pull Request(s)

• Full PR Link

Closes

• Closes https://github.com/getdokan/dokan-pro/issues/5299#issue-3762796039

How to test the changes in this Pull Request:

• Steps or issue link

1. Create a user assigning Editor role
2. Login as Editor User & Go to 'Admin panel'

Changelog entry

*Title: * Dokan menu should not be appeared in admin panel for editor role

Before Changes

• Donkan menu is appeared If the user logged in as editor.

After Changes

• The Dokan menu not appear for editor role.

Feature Video (optional)

Link of detailed video if this PR is for a feature.

PR Self Review Checklist:

• Code is not following code style guidelines
• Bad naming: make sure you would understand your code if you read it a few months from now.
• KISS: Keep it simple, Sweetie (not stupid!).
• DRY: Don't Repeat Yourself.
• Code that is not readable: too many nested 'if's are a bad sign.
• Performance issues
• Complicated constructions that need refactoring or comments: code should almost always be self-explanatory.
• Grammar errors.

FOR PR REVIEWER ONLY:

As a reviewer, your feedback should be focused on the idea, not the person. Seek to understand, be respectful, and focus on constructive dialog.

As a contributor, your responsibility is to learn from suggestions and iterate your pull request should it be needed based on feedback. Seek to collaborate and produce the best possible contribution to the greater whole.

• Correct — Does the change do what it’s supposed to? ie: code 100% fulfilling the requirements?
• Secure — Would a nefarious party find some way to exploit this change? ie: everything is sanitized/escaped appropriately for any SQL or XSS injection possibilities?
• Readable — Will your future self be able to understand this change months down the road?
• Elegant — Does the change fit aesthetically within the overall style and architecture?

Summary by CodeRabbit

• Bug Fixes
  • Improved admin menu access control to properly restrict visibility and access to menu items for users without the required permissions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

An early permission guard is added to the add_admin_menu function in includes/Admin/Menu.php, causing the function to return immediately if the current user lacks the required capability. This prevents the Dokan menu from appearing in the admin panel for unauthorized users.

Changes

Cohort / File(s)	Summary
Permission Guard in Menu Builder includes/Admin/Menu.php	Adds capability check at the start of add_admin_menu() to prevent menu construction for users without required permissions, fixing unauthorized menu display for editor role users

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A fence for the menu, so humble and neat,
Keeps editors out with a permission receipt,
No Dokan for thee without proper auth flow,
The admin stays tidy, as it should be below! ✨

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the fix: preventing the Dokan menu from appearing for users with the Editor role, which is the main objective of this PR.
Description check	✅ Passed	The description includes key sections covering changes, issue closure, testing steps, before/after comparison, and changelog entry, meeting the template's core requirements.
Linked Issues check	✅ Passed	The code change adds a permission guard to prevent menu display for users lacking required capability, directly addressing issue #5299's requirement to restrict Dokan menu from Editor role users.
Out of Scope Changes check	✅ Passed	The change is focused and in-scope: only adds an early permission check in the admin menu function to address the specific issue of Editor role users seeing the Dokan menu.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/dokan-menu-not-visible-for-editor-role

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

includes/Admin/Menu.php (1)

58-67: Consider removing redundant capability checks.

The capability checks on lines 58 and 71 are now redundant since the early return on line 37 ensures that only users with the required capability reach this code. Removing these checks would simplify the logic.

🔎 Proposed refactor

-        if ( current_user_can( $capability ) ) {
-            $submenu[ $slug ][] = [ __( 'Dashboard', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/' ];
-            $submenu[ $slug ][] = [ __( 'Withdraw', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/withdraw?status=pending' ];
-            $submenu[ $slug ][] = [ __( 'Reverse Withdrawal', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/reverse-withdrawal' ];
-
-            // if dokan pro not installed or dokan pro is greater than 2.9.14 register the `vendor` sub-menu
-            if ( ! dokan()->is_pro_exists() || version_compare( DOKAN_PRO_PLUGIN_VERSION, '2.9.14', '>' ) ) {
-                $submenu[ $slug ][] = [ __( 'Vendors', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/vendors' ];
-            }
+        $submenu[ $slug ][] = [ __( 'Dashboard', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/' ];
+        $submenu[ $slug ][] = [ __( 'Withdraw', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/withdraw?status=pending' ];
+        $submenu[ $slug ][] = [ __( 'Reverse Withdrawal', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/reverse-withdrawal' ];
+
+        // if dokan pro not installed or dokan pro is greater than 2.9.14 register the `vendor` sub-menu
+        if ( ! dokan()->is_pro_exists() || version_compare( DOKAN_PRO_PLUGIN_VERSION, '2.9.14', '>' ) ) {
+            $submenu[ $slug ][] = [ __( 'Vendors', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/vendors' ];
         }

And for lines 71-74:

-        if ( current_user_can( $capability ) ) {
-            $submenu[ $slug ][] = [ __( '<span style="color:#f18500">Help</span>', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/help' ];
-            $submenu[ $slug ][] = [ __( 'Settings', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/settings' ];
-        }
+        $submenu[ $slug ][] = [ __( '<span style="color:#f18500">Help</span>', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/help' ];
+        $submenu[ $slug ][] = [ __( 'Settings', 'dokan-lite' ), $capability, 'admin.php?page=' . $slug . '#/settings' ];

Also applies to: 71-74

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9a44aa3 and fecc439.

📒 Files selected for processing (1)

• includes/Admin/Menu.php

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: e2e tests (3, 3)
• GitHub Check: e2e tests (1, 3)
• GitHub Check: e2e tests (2, 3)
• GitHub Check: api tests (1, 1)

🔇 Additional comments (3)

includes/Admin/Menu.php (3)

37-39: LGTM - Early capability check prevents unauthorized menu access.

The early return correctly implements the PR objective by preventing menu registration when the current user lacks the required capability. This ensures the Dokan menu won't appear for Editor role users.

---

32-32: No action needed. The function name dokana_admin_menu_capability() is correctly spelled and is a deliberately defined wrapper function in the codebase (includes/functions.php, line 24) that calls the main dokan_admin_menu_capability() function. This is an intentional design pattern, not a typo.

Likely an incorrect or invalid review comment.

---

69-69: The dokan_admin_menu action on line 69 fires unconditionally for all users (before the capability check on line 71) and passes the $capability as a parameter. Extensions like Dashboard can receive this parameter and decide what menu items to register based on user permissions. This is not a breaking change—the hook behavior remains the same.