Setup: Extended Super Admins (ESA) Plugin installed on a fresh WP 3.2 Multi-site
I created a new role and applied it to a super admin named SAdmin. I configured the role and removed all capabilities except for installing, editing and activating/deactivating Themes and Plugins across the network. I also removed the manage_esa_options capability. Again, I disabled all other capabilities. No access to Site Admin as well.
Removing the capability for network_esa_options also removed the ability of SAdmin to access the ESA settings. This is what I need. It works really well now on the fresh WP 3.2 with the new 0.6.1 version (many thanks to Curtiss Grymala).
However, since SAdmin has access to the Plugins menu, it can also click on the options of the ESA plugin itself. Below is a list of what happens when clicking on the ESA options under Plugins:
Settings – a message appeared: You do not have sufficient permissions to access this page (this is ok and expected)
Network Deactivate – it deactivated ESA plugin and therefore gave SAdmin full access to the Network (this is not ok)
Edit – it allowed SAdmin access to the source code (I’m not sure if this is ok)
Delete Settings – a message appeared: You do not have sufficient permissions to access this page (this is ok and expected)
Is it possible that if the capability network_esa_options is checked/removed from the role, the super admin belonging to the role will not be able to deactivate the plugin as it defeats the purpose of removing the capability? This means that the expected response is also ‘You do not have sufficient permissions to access this page’. Could this restriction be also applied when clicking on Edit? However, SAdmin must still be able to have full access to all other installed plugins (except for ESA of course).
I hope I’m not complicating things.
Thanks for any assistance.
That’s a really good idea; and is something I hadn’t really thought of before (as, in my installation, we’re removing the manage_network_plugins capability, so they can’t do that).
I will definitely look into adding this feature over the next few weeks; but can’t promise anything, as I haven’t investigated yet to see what changes need to be made.
Many thanks for this great plugin. Looking forward to this possible feature.
In the meantime, I hope my super admin doesn’t figure it out 🙂
I’d like to know if you’ve been able to look into this ‘feature’ (just in case)?
Phil – I just uploaded a new Development Version that disables the plugin action links (“Activate”, “Deactivate”, “Edit”, “Delete”) if the user doesn’t have the manage_esa_options capability.
I’m not sure if it’s possible to disable the plugin editor for a specific plugin or not. It seems to be all or nothing (either the plugin editor is enabled for a user – the edit_plugins capability – or it’s disabled for a user, but there doesn’t seem to be any simple way to hide a specific plugin from the editor). I’m still looking into it and will let you know if I’m able to figure it out. Thanks.
- The topic ‘[Plugin: Extended Super Admins] Created role can still network deactivate plugin’ is closed to new replies.