WordPress.org

Ready to get started?Download WordPress

Forums

Members
members - prevent custom roles to edit, delete administrator or promote users (7 posts)

  1. Shashank Shekhar
    Member
    Posted 1 year ago #

    Hello,
    I have created a role using members 0.2.2 called 'SiteAdministrator' similar to 'Editor' role but with more capabilities including creating, listing, editing and deleting user. Also, removed the capability of 'Edit Dashboard' and 'Promote Users' on this 'SiteAdministrator' role.
    This is all what done to create a level/role/capability inbetween of editor and administrator role in wordpress.
    'Administrator' (wp admin) -> 'SiteAdministrator' -> 'Editor'

    Now, I have created a user with this custom 'SiteAdministrator' and logged-in with it. The one major issue found, this user has now capability to create users and set their role above itself for example even adminitrator! This is major issue and he can gain control of site as administrator by creating administrator users. He should be able to create/edit users but must not above his own role.

    In fact I want to create a role who can manage everything in the site similar to what editor can do but additional capability of managing users same or below his role only. He must not be able to edit administrator user.
    Further, he should not able to see or select the 'administrator' role in dropdown while creating/editing user, and also not able to see or delete administrator users in the users list.

    Please someone let me know in what way I can achieve it, and throw some light on this major security issue and potential danger.

    While digging over net for hours, I found some very old posts concerning this issue with wp core hack, but not have proper solution.
    http://wordpress.org/support/topic/editor-given-edit-user-role-can-promote-self-to-admin
    http://core.trac.wordpress.org/ticket/6014
    http://forrst.com/posts/WordPress_Help_Editor_can_add_edit_users_but-grD
    I have tried the same with user-role-editor plugin but no gain http://wordpress.org/support/topic/user-role-custom-role-promoting-users-to-higher-level-upto-administrator-iss
    I am wandering that if now its possible in new wordpress 3.5? Also thinking of what is 'promote_users' capability in real if its not working?

    ---
    Thanks
    Shashank

    http://wordpress.org/extend/plugins/members/

  2. marisqa
    Member
    Posted 1 year ago #

  3. Shashank Shekhar
    Member
    Posted 1 year ago #

    Thanks for the help. The best solution till now.
    I have replied you here below, where we are doing little conversation.. :)

    http://wordpress.org/support/topic/how-do-i-keep-the-clients-from-creating-admins

    Posted the link here above, so other users searching for solution coming here could find the related place with more ideas/discussion.

    Thanks Marisqa!

  4. Ardibee
    Member
    Posted 1 year ago #

    Great thread! Is this something that could be added to the members plug-in? Could it be done within each buddypress group - i.e. can we create group-specific admins in a similar manner to site admins vs network admins in WPMU?

  5. rdmoore1000
    Member
    Posted 1 year ago #

    If you want this to generalize to everywhere, not just the current theme, then you should paste the code into a php file with the plugin header stuff, and put it in the plugins folder. Then, go to plugins in the admin area, and activate it.

    Fixed for all themes!

  6. BenRacicot
    Member
    Posted 1 year ago #

    I use this for keeping the administrator role protected... Only u as the dev should have that role anyways...

    JBP_class -> https://gist.github.com/2028978

  7. Rocket Pixels
    Member
    Posted 8 months ago #

    Great! Anyone want to guess where BenRacicot's php file should go???

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic