WordPress.org

Ready to get started?Download WordPress

Forums

[Plugin: Members] Some suggestions (5 posts)

  1. eljkmw
    Member
    Posted 4 years ago #

    I noticed a few things which this plugin lacks, and needs to be incorporated are:

    • A Role with capabilities to Create but not to Edit nor Delete Roles, the plugin should still allow access into the Users >> Roles submenu. In this submenu, it should just list the roles, with the option to View Users only.
    • A Role at a lower capability level (e.g., Editor) cannot Edit the capabilities of a role higher than itself (e.g., Administrator).
    • When creating a New Role, it should not list all of the optional capabilities unless the current user is a Level_10 capability.

    I hope that these suggestions can be added in the next release. Amazing plugin.
    Lovin' it !!!

  2. Justin Tadlock
    Member
    Posted 4 years ago #

    Ideas and suggestions forum for the Members plugin is here:
    http://themehybrid.com/community/forum/ideas

    A Role with capabilities to Create but not to Edit nor Delete Roles, the plugin should still allow access into the Users >> Roles submenu. In this submenu, it should just list the roles, with the option to View Users only.

    Good idea. I'll put that on the to-do list.

    A Role at a lower capability level (e.g., Editor) cannot Edit the capabilities of a role higher than itself (e.g., Administrator).

    Roles in WordPress are not hierarchical. One role is not "higher" or "lower" than another role. You should read this post:
    http://justintadlock.com/archives/2009/08/30/users-roles-and-capabilities-in-wordpress

    When creating a New Role, it should not list all of the optional capabilities unless the current user is a Level_10 capability.

    User levels were deprecated a long, long time ago and are only there for legacy support. Plugins should not be using them. You're focusing on a hierarchy again as well, and I highly encourage you to read the post I linked to.

  3. eljkmw
    Member
    Posted 4 years ago #

    Hi Justin,

    Thanks for the link to your plugin forum. But since the discussion has initiated here, I'll continue from here.

    Glad to know that the first suggestion is in your to-do list. It'll be best to just leave the Roles submenu visible, but the manageability of the Roles will depend on the current user's capabilities - Edit Roles and/or Delete Roles. View Roles will always be available even if both Edit Roles and Delete Roles are disabled, as a convenience for administrators.

    I've read the post you gave. Thank you for sharing. However, how does one avoid listing all of the optional capabilities for a particular Role? I foresee this will be security issue, if a member can Edit Roles in gaining access to an administrative level.

    I look forward to your next release soon.

    Cheers,
    Jason

  4. Justin Tadlock
    Member
    Posted 4 years ago #

    However, how does one avoid listing all of the optional capabilities for a particular Role? I foresee this will be security issue, if a member can Edit Roles in gaining access to an administrative level.

    First, I would consider all capabilities "optional."

    If someone is given the edit_roles capability, I would assume you trust that person enough to actually allow them to, well, edit roles and their given capabilities. It's no different than you giving a role the cap of edit_themes. You should trust users of that role enough to let them edit your themes.

    Using a plugin like this gives a lot of responsibility to the end user. Any changes to roles and capabilities must be changed wisely. Security should always be a major concern when changing roles and caps. There's a reason this plugin has so much documentation — to help people not make major mistakes.

  5. eljkmw
    Member
    Posted 4 years ago #

    I agree that the role capabilities are "optional". However, it can be tricky to easily lock yourself out, which happened to me. I'd to edit the wp_user_roles in the "wp_options" table via phpmyadmin just to unlock myself. Just a precaution here!

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags