Paid Memberships Pro Update 2.4.2 is out with a handful of bug fixes and enhancements.
Several updates have been made to the PMPro REST API endpoints. In addition to fixing a few open issues, we have also made the REST API more secure by requiring appropriate user capabilities to access even the read-only (GET) endpoints. This is a good improvement, but also could break integration that was set up under the assumption that some of these endpoints had public access.
If you are having issues after upgrading to 2.4.2, make sure that your API user is authenticated and has the pmpro_edit_memberships capability of the other appropriate capabilities for the actions you are performing. If you absolutely want some endpoints to be public, you can use the pmpro_rest_api_route_capabilities filter and/or pmpro_rest_api_permissions filter to change this behavior.
The full list of updates:
- SECURITY: Updated the PMPro REST API endpoints accessed via the GET method to also require appropriate capabilities to access. The membership confirmation text will be hidden from non-members and non-admins. The endpoints to check a user’s level or access to a post require the pmpro_edit_memberships capability now. You should make sure your API users have the appropriate capabilities to use the API. You can use the pmpro_rest_api_route_capabilities filter and/or pmpro_rest_api_permissions filter to change this behavior.
- BUG FIX: Fixed issues with the PMPro REST API endpoints, including the discount code and checkout level endpoints.
- BUG FIX: Fixed issue with backslashes in the display name when editing form the PMPro frontend profile page.
- BUG FIX: Fixed issue where timestamps were showing up incorrectly for recent orders shown on the dashboard page.
BUG FIX: Fixed issue where PMPro would always try to add capabilities to the administrator role, even if you removed that role for some reason.
- ENHANCEMENT: Added a pmpro_get_no_access_message() function, which can be used to show the no access messages.
- ENHANCEMENT: Added a “show_noaccess” property to the membership shortcode. When set, it will show the noaccess message to users who don’t have the levels specified.
- ENHANCEMENT: Added a pmpro_user_profile_update_errors hook, which can be used to show errors on the PMPro frontend profile page.
- ENHANCEMENT: The pmpro_set_capabilities_for_role() function now returns true or false if the caps were added in case others want to use this function and tell if it worked.
- ENHANCEMENT: You can now include links in the description of the fields you add to the PMPro advanced settings page via the pmpro_custom_advanced_settings filter.
- ENHANCEMENT: Updated the PayPal gateways to use the latest versions of the PayPal buttons.
- ENHANCEMENT: Fixed styling of the PMPro update script notice.
- ENHANCEMENT: Added the pmpro_account_membership_expiration_text filter to the expiration dates shown on the cancel page when using MMPU.