Empty settings page for users with custom role having the `manage_options` capability

[rvdsteege]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the plugin and it is still present.

WordPress version

6.4.3

Cloudflare-WordPress version

4.12.6

PHP version

7.4.33

Expected result

A user with a custom role which has the manage_options capability, being able to purge the cache through the Settings → Cloudflare page.

Actual result

When clicking the "Cloudflare" admin menu item, an empty page is displayed and CONFIG_FETCH_ERROR and ZONES_FETCH_ERRORS errors occur in the console.

Steps to reproduce

1. Create a user with custom role, having the manage_options capability (e.g. using the Members plugin; https://wordpress.org/plugins/members/)
2. Visit Settings → Cloudflare

Additional factoids

It appears that the changes from #529 are causing the issues (released in version 4.12.3). The "Cloudflare" admin menu item requires the manage_options capability and the WordPress AJAX action cloudflare_proxy — which seems needed to load the settings page — is checking for the administrator role.

Cloudflare-WordPress/src/WordPress/Hooks.php

Lines 82 to 87 in dd13e15

	public function cloudflareConfigPage()
	{
	if (function_exists('add_options_page')) {
	add_options_page(__('Cloudflare Configuration'), __('Cloudflare'), 'manage_options', 'cloudflare', array($this, 'cloudflareIndexPage'));
	}
	}

Cloudflare-WordPress/src/WordPress/Proxy.php

Lines 56 to 60 in dd13e15

	public function run()
	{
	if (!$this->wordpressAPI->isCurrentUserAdministrator()) {
	return;
	}

It might be better to check against the manage_options capability in the proxy too, so both will be checking the same requirement to access the settings page.

---

Also, as mentioned in the WordPress developer documentation at https://developer.wordpress.org/reference/functions/current_user_can/, checking against a role instead of a capability using current_user_can() is discouraged:

While checking against particular roles in place of a capability is supported in part, this practice is discouraged as it may produce unreliable results.

Cloudflare-WordPress/src/WordPress/WordPressAPI.php

Lines 159 to 165 in dd13e15

	/**
	* @return boolean
	*/
	public function isCurrentUserAdministrator()
	{
	return $this->wordPressWrapper->currentUserCan('administrator');
	}

Cloudflare-WordPress/src/WordPress/WordPressWrapper.php

Lines 39 to 42 in 58db13b

	public function currentUserCan($capabilities)
	{
	return current_user_can($capabilities);
	}

References

#529

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[remcotolsma]

Is there someone from the @cloudflare team who can review the PR and merge it if possible?

[rvdsteege]

As I have not heard anything since opening this issue in April, I reported it through Cloudflare support. The case ID is 01317769.

[rvdsteege]

I've received reply (March 24, 2025 at 2:53 AM) in the support case that this plugin is not maintained anymore:

We are not maintaining the APO plugin at the moment, so you will not see an updated version soon.

Unfortunately, this issue will persist then.

[jordantrizz]

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

[shawn-digitalpoint]

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

Biased of course, but one of the primary reasons for this is because it's seemed the official plugin has been deprecated for years (before they officially confirmed that's the case).

https://wordpress.org/plugins/app-for-cf/

Enabling "Guest page caching" does what APO does.

[jmzolezzi]

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

Biased of course, but one of the primary reasons for this is because it's seemed the official plugin has been deprecated for years (before they officially confirmed that's the case).

https://wordpress.org/plugins/app-for-cf/

Enabling "Guest page caching" does what APO does.

Would it be possible to confirm if that plugin with Guest page caching, indeed provides exactly the same features APO provides?

[shawn-digitalpoint]

@rvdsteege its unfortunate, it would be great if someone built a super simple replacement.

Biased of course, but one of the primary reasons for this is because it's seemed the official plugin has been deprecated for years (before they officially confirmed that's the case).
https://wordpress.org/plugins/app-for-cf/
Enabling "Guest page caching" does what APO does.

Would it be possible to confirm if that plugin with Guest page caching, indeed provides exactly the same features APO provides?

While very similar, it's not exactly the same from a technical standpoint (fundamentally, it's the same thing as far as being able to serve HTML pages from Cloudflare's edge).

The differences:

APO pros:

• New content is proactively pushed to cache before a user requests the page (App for Cloudflare sends it to cache the first time a user requests the new content).

App for Cloudflare pros:

• Free (does not require a paid Cloudflare plan or $5/month).
• Ability to leverage preloading/Early Hints to push a page's JavaScript and CSS to the client faster.
• Actively developed (been a few years since the APO plugin has had anything substantial done to it). Changelog for App for Cloudflare is here.
• It has a not insignificant number of features that the APO plugin hasn't scratched the surface on (for example the ability to do image transforms on WordPress Media to convert them to WebP/AVIF as needed).

Generally speaking, App for Cloudflare's Guest Page Caching will yield the same TTFB (doing the same thing... caching HTML at the edge), but a faster user experience if you also use the preloading option, image transformations or other various things it can do.