Re: BP plugins are visible and activatable for non-admin users in their consoles
The visibility of the Admin nav-item is a side effect of “Site Wide: true” but it isn’t the correct way to fix this.
The “Site Wide” meta value doesn’t have anything to do with users, roles, or capabilities. It’s only there to tell WordPress that plugin can act as the umbrella that covers all blogs/sites in a network.
The offending plugins are simply just not using the correct methods to add their navigation to the Admin area.
WordPress has many wrappers to help make this easy for plugin authors:
add_management_page
add_options_page
add_theme_page
add_users_page
add_dashboard_page
add_posts_page
add_media_page
add_links_page
add_pages_page
add_comments_page
All of the above functions are passed an $access_level variable, that can be set to a “current_user_can” value to limit its access.
I’d drop a message to the authors of the plugins that are showing their settings to unauthorized users. That isn’t just inconvenient/embarrassing/confusing, it’s a security risk.