Feature Description

Currently when building users batch for each module, we check if user has access to the dashboard, and individual modules (module shared access/view only access), but there can a scenario where another can setup SK without having access to the connected GA4 and/or SC modules. This we can't know unless a pre-flight check is requested for the service access. We should update this and exclude those admins from receiving emails if they do not have, or have lost access to the service.

Originally spotted by @kelvinballoo while testing edge cases on this issue

Do not alter or remove anything below. The following sections will be managed by moderators only.

Acceptance criteria

• Email reporting runs a per secondary admin, per-module access preflight before requesting report data.
  • View only users have module's shared with them and are tied to the module owner access - if module owner lost access the batch request will fail, so no need to check access for view only users and module owner
• If a subscribed user lacks service-entity access for a module (e.g. GA4/SC), that module is excluded for that user (user is removed from the module users batch)

Implementation Brief

• In includes/Core/Email_Reporting/Email_Reporting_Data_Requests.php:
  • Move module filtering in get_user_payload() to run after switch_user() + wp_set_current_user()
  • Extend module filtering (filter_modules_for_user()) to run a preflight check:
  • For each module, run: if ( $module instanceof Module_With_Service_Entity ) to check for $access = $module->check_service_entity_access(). If it doesn ot return true skip connecting module to the user
    • Apply this preflight only when the recipient is a secondary admin (not module owner or view only user).
      • Secondary admin condition: user_can( $user, Permissions::MANAGE_OPTIONS ) && $user->ID !== $this->get_module_owner_id( $slug )

Test Coverage

• Update Email_Reporting_Data_RequestsTest.php
  • Add case: subscribed user has module visibility but lacks GA4/SC service-entity access → skip outcome code returned (not hard failure).
  • Add case: partial access (one module accessible, one not) → payload includes only accessible module.
  • Keep existing full-access success case unchanged.

QA Brief

• Follow the steps from this issue comment under Edge Case section:

EDGE CASE ⚠️
⚠️ I found an edge case while testing:

• I have my main admin and created admin2

• Main admin did not share any modules with admin2

• Admin2 did not go through view only dashboard but configured SK on his own.

• Admin2 did not have access to SC and GA as per screenshot

  Details

  

• When email was triggered for admin2, there were records pertaining to SC and GA:

  Details

  

• Verify that admin with no access is not having entries created for it

Changelog entry

• Fix bug that caused admins without module access to get emails for modules.