Cristian,
I was logged in as a level 1 user.
In my world, the only capabilities applied to this role are:
* access_s2member_level1
* access_s2member_level0
* read
Profile modifications are disallowed in my setup.
I only tried this as a test and the modifications form came up.
All s2member registration fields were not editable (that’s how I set up my forms).
However, the following fields are:
* Email address
* First name
* Last name
* Display name
* Password
I tested editing by changing the last name and it successfully saved the new entry.
I realize these are default WP fields but I feel that they should not be accessed, either.
Under s2member > General Options > Member Profile Modifications I have the “Redirect Members away from the Default Profile Panel? ” setting set as “Yes”.
If you log in as a s2member levelX user you can use Firebug to see all the data loaded in the DOM by s2member. One line, among all the other lines with tons of individual and plugin-specific s2member data, is:
S2MEMBER_CURRENT_USER_PROFILE_MODIFICATION_PAGE_URL “https://www.xxxxxxxxxxxxxx.com/?s2member_profile=1”
So someone could easily find that and access this page…………..
Does that help?
Bran