members – prevent custom roles to edit, delete administrator or promote users

Shashank Shekhar
(@shashankitsoft)

11 years, 3 months ago

Hello,
I have created a role using members 0.2.2 called ‘SiteAdministrator’ similar to ‘Editor’ role but with more capabilities including creating, listing, editing and deleting user. Also, removed the capability of ‘Edit Dashboard’ and ‘Promote Users’ on this ‘SiteAdministrator’ role.
This is all what done to create a level/role/capability inbetween of editor and administrator role in wordpress.
‘Administrator’ (wp admin) -> ‘SiteAdministrator’ -> ‘Editor’

Now, I have created a user with this custom ‘SiteAdministrator’ and logged-in with it. The one major issue found, this user has now capability to create users and set their role above itself for example even adminitrator! This is major issue and he can gain control of site as administrator by creating administrator users. He should be able to create/edit users but must not above his own role.

In fact I want to create a role who can manage everything in the site similar to what editor can do but additional capability of managing users same or below his role only. He must not be able to edit administrator user.
Further, he should not able to see or select the ‘administrator’ role in dropdown while creating/editing user, and also not able to see or delete administrator users in the users list.

Please someone let me know in what way I can achieve it, and throw some light on this major security issue and potential danger.

While digging over net for hours, I found some very old posts concerning this issue with wp core hack, but not have proper solution.
http://wordpress.org/support/topic/editor-given-edit-user-role-can-promote-self-to-admin
http://core.trac.wordpress.org/ticket/6014
http://forrst.com/posts/WordPress_Help_Editor_can_add_edit_users_but-grD
I have tried the same with user-role-editor plugin but no gain http://wordpress.org/support/topic/user-role-custom-role-promoting-users-to-higher-level-upto-administrator-iss
I am wandering that if now its possible in new wordpress 3.5? Also thinking of what is ‘promote_users’ capability in real if its not working?

—
Thanks
Shashank

http://wordpress.org/extend/plugins/members/

Viewing 6 replies - 1 through 6 (of 6 total)

marisaporter
(@marisqa)

11 years, 3 months ago

Shashank,

Here:

http://marisaporter.com/keep-clients-from-creating-administrators/

Thread Starter Shashank Shekhar
(@shashankitsoft)

11 years, 3 months ago

Thanks for the help. The best solution till now.
I have replied you here below, where we are doing little conversation.. 🙂

http://wordpress.org/support/topic/how-do-i-keep-the-clients-from-creating-admins

Posted the link here above, so other users searching for solution coming here could find the related place with more ideas/discussion.

Thanks Marisqa!

Ardibee
(@ardibee)

11 years, 3 months ago

Great thread! Is this something that could be added to the members plug-in? Could it be done within each buddypress group – i.e. can we create group-specific admins in a similar manner to site admins vs network admins in WPMU?

rdmoore1000
(@rdmoore1000)

11 years, 1 month ago

If you want this to generalize to everywhere, not just the current theme, then you should paste the code into a php file with the plugin header stuff, and put it in the plugins folder. Then, go to plugins in the admin area, and activate it.

Fixed for all themes!

BenRacicot
(@benracicot)

11 years, 1 month ago

I use this for keeping the administrator role protected… Only u as the dev should have that role anyways…

JBP_class -> https://gist.github.com/2028978

Doctor Dave
(@vincarrillo)

10 years, 5 months ago

Great! Anyone want to guess where BenRacicot’s php file should go???

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘members – prevent custom roles to edit, delete administrator or promote users’ is closed to new replies.