WordPress.org

Ready to get started?Download WordPress

Forums

User Role Editor
Need Admin Role protection (10 posts)

  1. JustinFYI
    Member
    Posted 3 years ago #

    User Role Editor is a beautiful plugin.

    I created a new role called "Owner" with the ability to create, add, edit and remove users. What I like is that the "Owner" role is not able to edit Admin roles, but it is able to delete Admin roles. Anyway to protect the Admin roles from being deleted?

    I thought of using the Superadmin plugin but I'm not too sure about that option yet.

    http://wordpress.org/extend/plugins/user-role-editor/

  2. infohowdy
    Member
    Posted 3 years ago #

    I'm interested too

  3. infohowdy
    Member
    Posted 3 years ago #

    justinfyi: the Superadmin plugin doesn't work correctly with User Role Editor.

  4. JustinFYI
    Member
    Posted 3 years ago #

    Thanks for the heads up infohowdy. I was just about to check that out.

  5. infohowdy
    Member
    Posted 3 years ago #

    this sound strange, in this part of code user with minor level can't delete user with upper lever...

    // We have to vulnerable queries id users admin interfase which should be processed
    // 1st: http://blogdomain.com/wp-admin/user-edit.php?user_id=ID&wp_http_referer=%2Fwp-admin%2Fusers.php
    // 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
    // If put Administrator user ID into such request, user with lower capabilities (if he has 'edit_users')
    // can edit, delete admin record
    // This function removes 'edit_users' capability from current user capabilities
    // if request has admin user ID in it
    function ure_not_edit_admin($allcaps, $caps, $name) {

    global $ure_userToEdit;

    $userKeys = array('user_id', 'user');
    foreach ($userKeys as $userKey) {
    $accessDeny = false;
    if (isset($_GET[$userKey])) {
    $ure_UserId = $_GET[$userKey];
    if ($ure_UserId==1) { // built-in WordPress Admin
    $accessDeny = true;
    } else {
    if (!isset($ure_userToEdit[$ure_UserId])) {
    // check if user_id has Administrator role
    $accessDeny = ure_has_administrator_role($ure_UserId);
    } else {
    // user_id was checked already, get result from cash
    $accessDeny = $ure_userToEdit[$ure_UserId];
    }
    }
    if ($accessDeny) {
    unset($allcaps['edit_users']);
    }
    break;
    }
    }

    return $allcaps;
    }
    // end of ure_not_edit_admin()

    function ure_init() {

    global $current_user;

    if (!empty($current_user->ID)) {
    $user_id = $current_user->ID;
    } else {
    $user_id = 0;
    }

    // these filters and actions should prevent editing users with administrator role
    // by other users with 'edit_users' capabilities
    if (!ure_is_admin($user_id)) {

    // Exclude administrator role from edit list.
    add_filter('editable_roles', 'ure_excludeAdminRole');
    // Enqueue jQuery
    add_action('admin_enqueue_scripts' , 'ure_admin_jquery' );
    // Hide Administrator from list of users
    add_action('admin_head' , 'ure_admin_user_hide');
    // prohibit any actions with user who has Administrator role
    add_filter('user_has_cap', 'ure_not_edit_admin', 10, 3);

    }

    }
    // end of ure_init()

  6. JustinFYI
    Member
    Posted 3 years ago #

    Unfortunately even a snippet of code from this doesn't seem to be working as my owner deleted the administrator with User ID 1.

    if ($ure_UserId==1) { // built-in WordPress Admin
    $accessDeny = true;

    Would be nice to get this to function as expected.

  7. JustinFYI
    Member
    Posted 3 years ago #

  8. infohowdy
    Member
    Posted 3 years ago #

    justinfyi this hide options but if you bypass by a url query you can delete administrators.
    I think the only way is to modify the wp-admin/users.php page

  9. infohowdy
    Member
    Posted 3 years ago #

    justinfyi in the file wp-admin/users.php around line 171

    if ( $id == $current_user->ID ) {

    add some rule here

    if ( $id == $current_user->ID || $user->user_level == 10) {

    I know this is not flair solution...

  10. Vladimir Garagulya
    Member
    Plugin Author

    Posted 3 years ago #

    justinfyi,

    Could you please give me more details, what exactly your user with Owner role did? With what action he deleted user with ID=1? Direct URL call, link in the WP admin interface click? I wish to reproduce that and find the solution.
    What WP version do you use? Under multi-site WordPress your 'owner' could have superadmin privileges...

    Thanks.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic