WordPress.org

Ready to get started?Download WordPress

Forums

Editor given edit user role can promote self to Admin (4 posts)

  1. pumpkinpatch
    Member
    Posted 5 years ago #

    When a user with Editor role is given the additional capability of edit users- maybe by using a plugin (like Role Manager, the Editor becomes capable of promoting himself to the role of Administrator. This problem was discussed extensively here, and the need for it to be corrected (in the core?) agreed upon.
    Anyone know where we stand on this?

  2. pumpkinpatch
    Member
    Posted 5 years ago #

    Bump...
    JeremyClarke, you in there????
    You were the one on whom the ticket landed...

  3. pumpkinpatch
    Member
    Posted 5 years ago #

    bump again....
    Moderators...Developers...

  4. utopa
    Member
    Posted 5 years ago #

    pumpkinpatch,
    Same problem for me. I tried first to filter using update_user_query, but I couldn't get it to filter this at all. If you're still looking for a solution, this will do the job in v2.7 (until this can be more gracefully resolved with a plugin or permanent patch):

    This handles preventing updates from the main user listing, via the dropdown menu.
    /wp-admin/users.php, add the following at line 63

    if ($_REQUEST['new_role'] == 'administrator' && $current_user->user_level != 10)
    { $update = 'err_admin_role'; continue; }

    This handles preventing updates on the "profile editor" pages.
    /wp-admin/user-edit.php, add the following at line 130

    $current_user = wp_get_current_user();
    if ($_REQUEST['role'] == 'administrator' && $current_user->user_level != 10)
    { wp_die(__('You do not have permission to promote a user to this level.')); }

    This handles preventing adding new users at the admin level.
    /wp-admin/user-new.php, add the following at line 23

    $current_user = wp_get_current_user();
    if ($_REQUEST['role'] == 'administrator' && $current_user->user_level != 10)
    { wp_die(__('You do not have permission to add a user at this level.')); }

    The logic for all three, in English:
    If the role requested to be assigned is "administrator" and the current user isn't already an administrator (i.e., level 10), throw an error and break out of the update routine.

    It's rough, you're editing core files, but it works without knowing more about how to hook into the update_user_query procedure (which may not even be possible yet).

    Hope this helps!

Topic Closed

This topic has been closed to new replies.

About this Topic