Ingo Steinke, web developerIf an event was scheduled by a user with a certain role and permissions, does that imply that the callback runs with the same role and permissions?
TL;DR
Does it? See below and jump to the conclusion ...
... or read about my current plugin (side) project and feel free to contribute.
I should rephrase my question to match my requirements:
As a developer, I want to schedule a WordPress function that runs with certain expected roles and permissions that have been set explicitly.
That's much better, and closer to a solution!
It could also implicitly inherit the caller's capabilities, or put otherwise, persist the scheduling user's role in the scheduled callback.
But why do I want to do something beyond the usual documented default use cases that seemed good enough for most users for the last twenty years? Why can't I find a plugin that offers the required functionality when there are tens of thousands of free plugins in the marketplace?
Use case for wp_schedule_event
When I had to add a contact form in WordPress recently, I used the popular combination of Contact Form 7, Akismet, and Flamingo for a persistent form message inbox with spam protection.
But webmasters have to check possible spam for false positives manually in wp-admin to be sure not to miss any legitimate inbound message.
Pending plugin review queue
There have been similar feature requests for Flamingo Spam Reports, but no option or plugin yet. Maybe someone submitted a plugin but it's there waiting for review together with > 1000 other new plugin submissions, so the estimated waiting time for a WordPress plugin review is > 100 days.
The review is team is currently working on improving the review process, but there would probably be even more plugins in the queue if people wouldn't write their own code without even trying following the outdated coding style predating PHP standards recommendations. But we don't need to wait for the WordPress plugin marketplace to release open-source plugins!
Work in progress
Here is my work in progress on GitHub:
https://github.com/openmindculture/wp-contact-form-inbox-report-mailer-plugin
npm run build:zip creates a zip file that can be uploaded on the "install plugin" from a file page.
Pragmatic debugging
WordPress events like wp_schedule_event or wp_mail have some handy presets, but it's hard to test and write tested clean code given their limited output and debug options.
I split my code into (untested) units and made an admin page to display the inbox report that I want to send by mail, show the next scheduled event time, and trigger a mailing on each page request.
Everything seemed to work, but no mail was sent when triggered by the schedule callback function.
Inspecting the code I wrote, I found that I explicitly added a condition not to send an email if the report is empty.
if ($report && !empty($report))
Maybe that's an anti-pattern even in production, but it definitely doesn't help debugging, so I'd rather send an empty mail where I can add further information.
Roles and permissions
I questioned another assumption: even if the event was scheduled by a user with permissions to view the inbox items, does that imply that the callback has the same role and permissions?
The scheduler is no real cron job, but
The action will trigger when someone visits your WordPress site if the scheduled time has passed.
So maybe it's that visitor's role running the job? If it's an external site visitor, of course they don't have permission to view my contact form inbox.
Unfortunately, the wp_schedule_event function reference isn't specific about this aspect yet. Comments and code examples aren't either.
The only helpful hint that I found after researching for about half an hour is an answer on wordpress.stackexchange.com:
You can do something like this
function your_cron_job(){
$u = new WP_User(3);
$u->set_role('editor');
}
Something like this could mean set_role('administrator') or something less excessive like adding a specific capability for reading a very specific content type.
Conclusion
You tell me!
I'm sorry, but if you know, add your answer as a comment, if you don't, wait until I will. The code snippet above might looks promising and it implies that we need to specify a role explicitly to use a cron schedule to access data that is not available publicly in WordPress.
Meanwhile, I will try and finish my plugin. Maybe I will even submit it to the plugin directory. Hopefully they don't require coding like it's 2003 in their WordPress Coding Standards anymore. But my code is on GitHub, and so will be the latest release, ready to use on any WordPress site with a Flamingo inbox. Feel free to contribute!
