members - prevent custom roles to edit, delete administrator or promote users (7 posts)

  1. Shashank Shekhar
    Posted 2 years ago #

    I have created a role using members 0.2.2 called 'SiteAdministrator' similar to 'Editor' role but with more capabilities including creating, listing, editing and deleting user. Also, removed the capability of 'Edit Dashboard' and 'Promote Users' on this 'SiteAdministrator' role.
    This is all what done to create a level/role/capability inbetween of editor and administrator role in wordpress.
    'Administrator' (wp admin) -> 'SiteAdministrator' -> 'Editor'

    Now, I have created a user with this custom 'SiteAdministrator' and logged-in with it. The one major issue found, this user has now capability to create users and set their role above itself for example even adminitrator! This is major issue and he can gain control of site as administrator by creating administrator users. He should be able to create/edit users but must not above his own role.

    In fact I want to create a role who can manage everything in the site similar to what editor can do but additional capability of managing users same or below his role only. He must not be able to edit administrator user.
    Further, he should not able to see or select the 'administrator' role in dropdown while creating/editing user, and also not able to see or delete administrator users in the users list.

    Please someone let me know in what way I can achieve it, and throw some light on this major security issue and potential danger.

    While digging over net for hours, I found some very old posts concerning this issue with wp core hack, but not have proper solution.
    I have tried the same with user-role-editor plugin but no gain http://wordpress.org/support/topic/user-role-custom-role-promoting-users-to-higher-level-upto-administrator-iss
    I am wandering that if now its possible in new wordpress 3.5? Also thinking of what is 'promote_users' capability in real if its not working?



  2. marisqa
    Posted 2 years ago #

  3. Shashank Shekhar
    Posted 2 years ago #

    Thanks for the help. The best solution till now.
    I have replied you here below, where we are doing little conversation.. :)


    Posted the link here above, so other users searching for solution coming here could find the related place with more ideas/discussion.

    Thanks Marisqa!

  4. Ardibee
    Posted 2 years ago #

    Great thread! Is this something that could be added to the members plug-in? Could it be done within each buddypress group - i.e. can we create group-specific admins in a similar manner to site admins vs network admins in WPMU?

  5. rdmoore1000
    Posted 2 years ago #

    If you want this to generalize to everywhere, not just the current theme, then you should paste the code into a php file with the plugin header stuff, and put it in the plugins folder. Then, go to plugins in the admin area, and activate it.

    Fixed for all themes!

  6. BenRacicot
    Posted 2 years ago #

    I use this for keeping the administrator role protected... Only u as the dev should have that role anyways...

    JBP_class -> https://gist.github.com/2028978

  7. Rocket Pixels
    Posted 1 year ago #

    Great! Anyone want to guess where BenRacicot's php file should go???

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Members
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic