I have created a role using members 0.2.2 called 'SiteAdministrator' similar to 'Editor' role but with more capabilities including creating, listing, editing and deleting user. Also, removed the capability of 'Edit Dashboard' and 'Promote Users' on this 'SiteAdministrator' role.
This is all what done to create a level/role/capability inbetween of editor and administrator role in wordpress.
'Administrator' (wp admin) -> 'SiteAdministrator' -> 'Editor'
Now, I have created a user with this custom 'SiteAdministrator' and logged-in with it. The one major issue found, this user has now capability to create users and set their role above itself for example even adminitrator! This is major issue and he can gain control of site as administrator by creating administrator users. He should be able to create/edit users but must not above his own role.
In fact I want to create a role who can manage everything in the site similar to what editor can do but additional capability of managing users same or below his role only. He must not be able to edit administrator user.
Further, he should not able to see or select the 'administrator' role in dropdown while creating/editing user, and also not able to see or delete administrator users in the users list.
Please someone let me know in what way I can achieve it, and throw some light on this major security issue and potential danger.
While digging over net for hours, I found some very old posts concerning this issue with wp core hack, but not have proper solution.
I have tried the same with user-role-editor plugin but no gain http://wordpress.org/support/topic/user-role-custom-role-promoting-users-to-higher-level-upto-administrator-iss
I am wandering that if now its possible in new wordpress 3.5? Also thinking of what is 'promote_users' capability in real if its not working?