[Plugin: Capability Manager] How can I stop lower-level roles from creating a new ADMIN user?

Mike Smith
(@daledubilowski)

14 years, 7 months ago

Hello

I need to give a group (called SALESPEOPLE) access to READ, CREATE USERS and EDIT USERS because they will be adding new people into the system. Once again, I want salespeople to have only this limited access.

The problem is, SALESPEOPLE can create a new user with the role of ADMIN, and then log in as that ADMIN and then they’ve got the whole site. This would be a huge security breach.

Any way that I can use these roles to all a group to create new users (called CUSTOMERS) but NOT allow them to give those new users ADMIN access?

Cheers!
dale

http://wordpress.org/extend/plugins/capsman/

Viewing 6 replies - 1 through 6 (of 6 total)

Txanny
(@txanny)

14 years, 7 months ago

This have to be with the way WordPress manages Roles and Capabilities. If a user has the capability to create new users, can assign to them any role. I know this is a security issue, and will check with other developers if there is a way to manage it.

Thread Starter Mike Smith
(@daledubilowski)

14 years, 6 months ago

Hello Txanny… any update on this one? It’s driving me nuts – seems so simple or obvious but no simply or obvious solution as far as I can tell… 🙁

pik256
(@pik256)

14 years, 6 months ago

I have the same need and I am searching for plugin. I am a newbie for WP and cannot create a plugin yet but I have found the following function in wp-admin/includes/user.php. It suggests that since 2.8 users could have limited rights to assign roles.

/**
* Fetch a filtered list of user roles that the current user is
* allowed to edit.
*
* Simple function who’s main purpose is to allow filtering of the
* list of roles in the $wp_roles object so that plugins can remove
* innappropriate ones depending on the situation or user making edits.
* Specifically because without filtering anyone with the edit_users
* capability can edit others to be administrators, even if they are
* only editors or authors. This filter allows admins to delegate
* user management.
*
* @since 2.8
*
* @return unknown
*/
function get_editable_roles()
…

Txanny
(@txanny)

14 years, 6 months ago

pik256, many thanks for this. I will take it into consideration to implement in a next plugin version.

I submitted it to the tracker and can follow this issue at http://tracker.alkivia.org/view.php?id=181

Thread Starter Mike Smith
(@daledubilowski)

14 years, 6 months ago

Hi Txanny & pik256 – Thank you so much for looking into this – it’s a very frustrating problem! haha

Txanny – I don’t want to rush you but – just wondering, what are your update cycles like? 😉 This is one of the final elements of a big project – just wondering if I should try a different approach or hold onto my horses and wait a bit… 🙂

Thank you sir! Great plugin!

Txanny
(@txanny)

14 years, 6 months ago

There are no update cycles defined. As I develop this plugins on my free time, I cannot have a timing plan. I just spend some time to improve the plugins when I have it available 😉

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘[Plugin: Capability Manager] How can I stop lower-level roles from creating a new ADMIN user?’ is closed to new replies.

[Plugin: Capability Manager] How can I stop lower-level roles from creating a new ADMIN user?

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics