Top-level admin-area menu for Forums is not visible to Moderators

[johnjamesjacoby]

User accounts assigned the Moderator role are capable of editing existing forums and creating new ones, but their mapped capabilities prevent them from visiting the admin-area Forums pages.

Neither the "All Forums" nor the "Add Forum" menu items are visible, and attempting to visit their URLs manually will trigger the standard WordPress wp_die(), due to an incorrect check inside of bbp_map_forum_meta_caps().

Originally reported on HackerOne as a security vulnerability allowing Moderators to edit forums, that shed some light onto this bug instead.

[johnjamesjacoby]

Logged in as Moderator, visiting an existing single Forum theme-side

[johnjamesjacoby]

In 7346:

Forums: swap out bbp_is_user_keymaster() check for moderate capability when checking the edit_forums and edit_others_forums mapped forum caps.

This commit fixes a bug that was causing the top-level admin-area "Forums" menu to not appear for logged in users who were assigned the "Moderator" role.

Moderators are intended to be like Editors, capable of moderating all forum-specific content. Sometimes that includes editing forum titles, descriptions, slugs, or creating a new forum and moving a bunch of existing topics into it.

Note: this change is largely a visual one, as Moderators have had the ability to edit forums since bbPress 2.2 when BuddyPress Group Forum support was added, if they already had the edit URL.

In trunk, for 2.7.

Fixes #3646.