WordPress.org

Ready to get started?Download WordPress

Forums

Capability Manager Enhanced
[resolved] Non-administrators are able to manage users with administrator capabilites (8 posts)

  1. sshukla13
    Member
    Posted 1 year ago #

    I have created a new role (by copying editor role and adding user management capabilities).
    But the user assigned to this role is able to add new users with administrator capabilities. This user (non administrator) also gets the capability to delete admin user.

    http://wordpress.org/extend/plugins/capability-manager-enhanced/

  2. Stanko Metodiev
    Member
    Posted 1 year ago #

    I have the same problem. Please advice what we can do about this?

  3. joonymobile
    Member
    Posted 1 year ago #

    use s2member plugin :)

  4. Stanko Metodiev
    Member
    Posted 1 year ago #

    I use both plugins, but s2member doesn't provide options for control in the admin backend...

  5. castcrus
    Member
    Posted 10 months ago #

    same problem here!

  6. castcrus
    Member
    Posted 10 months ago #

    SOLVED!

    add this to your theme's functions.php

    function map_meta_cap( $caps, $cap, $user_id, $args ){
    
        switch( $cap ){
            case 'edit_user':
            case 'remove_user':
            case 'promote_user':
                if( isset($args[0]) && $args[0] == $user_id )
                    break;
                elseif( !isset($args[0]) )
                    $caps[] = 'do_not_allow';
                $other = new WP_User( absint($args[0]) );
                if( $other->has_cap( 'administrator' ) ){
                    if(!current_user_can('administrator')){
                        $caps[] = 'do_not_allow';
                    }
                }
                break;
            case 'delete_user':
            case 'delete_users':
                if( !isset($args[0]) )
                    break;
                $other = new WP_User( absint($args[0]) );
                if( $other->has_cap( 'administrator' ) ){
                    if(!current_user_can('administrator')){
                        $caps[] = 'do_not_allow';
                    }
                }
                break;
            default:
                break;
        }
        return $caps;
      }
    
    }
    
    $jpb_user_caps = new JPB_User_Caps();

    anwser from: http://wordpress.stackexchange.com/questions/4479/editor-can-create-any-new-user-except-administrator

  7. drew_r
    Member
    Posted 10 months ago #

    Thanks castcrus! The code pasted above is incomplete, but the full class in the link does the trick:

    class JPB_User_Caps {
    
      // Add our filters
      function JPB_User_Caps(){
        add_filter( 'editable_roles', array(&$this, 'editable_roles'));
        add_filter( 'map_meta_cap', array(&$this, 'map_meta_cap'),10,4);
      }
    
      // Remove 'Administrator' from the list of roles if the current user is not an admin
      function editable_roles( $roles ){
        if( isset( $roles['administrator'] ) && !current_user_can('administrator') ){
          unset( $roles['administrator']);
        }
        return $roles;
      }
    
      // If someone is trying to edit or delete and admin and that user isn't an admin, don't allow it
      function map_meta_cap( $caps, $cap, $user_id, $args ){
    
        switch( $cap ){
            case 'edit_user':
            case 'remove_user':
            case 'promote_user':
                if( isset($args[0]) && $args[0] == $user_id )
                    break;
                elseif( !isset($args[0]) )
                    $caps[] = 'do_not_allow';
                $other = new WP_User( absint($args[0]) );
                if( $other->has_cap( 'administrator' ) ){
                    if(!current_user_can('administrator')){
                        $caps[] = 'do_not_allow';
                    }
                }
                break;
            case 'delete_user':
            case 'delete_users':
                if( !isset($args[0]) )
                    break;
                $other = new WP_User( absint($args[0]) );
                if( $other->has_cap( 'administrator' ) ){
                    if(!current_user_can('administrator')){
                        $caps[] = 'do_not_allow';
                    }
                }
                break;
            default:
                break;
        }
        return $caps;
      }
    
    }
    
    $jpb_user_caps = new JPB_User_Caps();

    There's actually a larger bug though - it looks like (at least in my configuration, which uses lots of other plugins) any user with the promote_users capability can change the role of anyone else on the site. They can only set the role to one less than or equal to theirs, but that still means they can demote anybody, which seems to contradict the plugin description: "Non-administrators can only manage roles or users with same or lower capabilities."

    I managed to (mostly) fix it for my case by adding the below code to my theme's functions.php (instead of the code from that link):

    add_filter('map_meta_cap', 'map_meta_cap_extension', 10, 4);
    function map_meta_cap_extension( $caps, $cap, $user_id, $args ){
    
        global $current_user;
        get_currentuserinfo();
        switch( $cap ){
            case 'edit_user':
            case 'remove_user':
            case 'promote_user':
                if( isset($args[0]) && $args[0] == $user_id )
                    break;
                elseif( !isset($args[0]) )
                    $caps[] = 'do_not_allow';
                $other_user_level = get_userdata(absint($args[0]))->user_level;
                if( $other_user_level >= $current_user->user_level )
                    $caps[] = 'do_not_allow';
                break;
            case 'delete_user':
            case 'delete_users':
                if( !isset($args[0]) )
                    break;
                $other_user_level = get_userdata(absint($args[0]))->user_level;
                if( $other_user_level >= $current_user->user_level )
                    $caps[] = 'do_not_allow';
                break;
            default:
                break;
        }
        return $caps;
    }

    This prevents the user from making changes to users at or above their User Level. Technically user levels are deprecated, but I'm not sure how else to compare two roles to know that one shouldn't be able to change the other - maybe there's a better way.

    On the same note, use this at your own risk - I'm a software developer, but this is literally the first wordpress code I've ever written.

  8. kevinB
    Member
    Plugin Author

    Posted 10 months ago #

    The plugin already supports this without any need for code changes. Just give your limited user editors a role with a lower numeric level than the roles which they should not edit or assign. They will not be able to edit users with a higher role level.

    There was a bug which prevented this filtering from being applied for new user creation. That's fixed in CME 1.5.1.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic