WordPress.org

Ready to get started?Download WordPress

Forums

User Role Editor
user role - custom role promoting users to higher level upto administrator issue (4 posts)

  1. Shashank Shekhar
    Member
    Posted 1 year ago #

    Hello,
    I have created a role using user-role-editor 3.9 called 'SiteAdministrator' copied from 'Editor' role but with more capabilities including creating, listing, editing and removing user. Also, removed the capability of 'Edit Dashboard' and 'Promote Users' on this 'SiteAdministrator' role.
    This is all what done to create a level/role inbetween of editor and administrator role in wordpress.
    'Administrator' (wp admin) -> 'SiteAdministrator' -> 'Editor'

    Now, I have created a user with this custom 'SiteAdministrator' and logged-in with it. The one major issue found, this user has now capability to create users and set their role above itself for example even adminitrator! This is major issue and he can gain control of site as administrator by creating administrator users. He should be able to create/edit users but must not above his own role.

    In fact I want to create a role who can manage each and everything in the site similar to what editor can do but additional capability of managing users same or below his role only. He must not be able to edit administrator user.
    Further, he should not able to see or select the 'administrator' role in dropdown while creating/editing user, and also not able to see administrator users in the users list.

    Please someone let me know in what way I can achieve it, and throw some light on this major security issue.

    ---
    Thanks
    Shashank

    http://wordpress.org/extend/plugins/user-role-editor/

  2. Shashank Shekhar
    Member
    Posted 1 year ago #

    While digging over internet for hours, I found some very old posts concerning this issue with wp core hack, but not have proper solution.
    http://wordpress.org/support/topic/editor-given-edit-user-role-can-promote-self-to-admin
    http://core.trac.wordpress.org/ticket/6014
    http://forrst.com/posts/WordPress_Help_Editor_can_add_edit_users_but-grD
    I have tried the same with members plugin but no gain http://wordpress.org/support/topic/how-do-i-keep-the-clients-from-creating-admins
    I am wandering that if now its possible in new wordpress 3.5? Also thinking of what is 'promote_users' capability in real if its not working?

    Until it fixed with plugin improvement or some custom code available to write in theme/function.php with action/filters without core hack; its a potential danger to use this plugin for such type of custom role having user management access becoz they can even delete the main admin which have far more capabilities than this user.

  3. Vladimir Garagulya
    Member
    Plugin Author

    Posted 1 year ago #

    [Edited after additional testing]
    Thank you very much for this message. Issue was known and had fixed by hiding users with 'Administrator' role from user list and excluding 'Administrator' role from drop-down menu. And it still works for WordPress 3.5. But User Role Editor should be active for that. And this will lead us to the other issue - some new 'manage_roles' capability is required to be capable prohibit access for such users with 'edit_users' capability to the "User Role Editor" plugin itself. As such user could make with his role all what he wants...

    'promote_users' is for use at multi-site environment only.

  4. Shashank Shekhar
    Member
    Posted 1 year ago #

    Thanks for checking the issue. Not exactly clear what you wanna say, but I have tested it with wp 3.5 having user-role-editor active and so the issue I posted.
    As you said before editing your post -> 'Issue was known and had fixed for earlier WP versions by hiding users with 'Administrator' role from user list and excluding 'Administrator' role from drop-down menu. It seems those 'hacks'stopped working. I should investigate the issue and restore that functionality.'
    Yes there must be the fixings, otherwise its a great danger to use this plugin.
    The later parts u r talking about 'other issue' not very clear.
    By the way I have solved the issue with using plugin and writing some custom codes in my theme's functions.php .
    You can go through these links for the solution (where I hv discussed the same):
    http://wordpress.org/support/topic/members-prevent-custom-roles-to-edit-delete-administrator-or-promote-users
    http://wordpress.org/support/topic/how-do-i-keep-the-clients-from-creating-admins

    But these things need to be built-in inside the plugin itself. I hope now u will have the better idea along with solution.. :)
    ---
    Thanks
    Shashank

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic