WordPress.org

Support

Support » Requests and Feedback » [Plugin: Members] Some suggestions

[Plugin: Members] Some suggestions

  • I noticed a few things which this plugin lacks, and needs to be incorporated are:

    • A Role with capabilities to Create but not to Edit nor Delete Roles, the plugin should still allow access into the Users >> Roles submenu. In this submenu, it should just list the roles, with the option to View Users only.
    • A Role at a lower capability level (e.g., Editor) cannot Edit the capabilities of a role higher than itself (e.g., Administrator).
    • When creating a New Role, it should not list all of the optional capabilities unless the current user is a Level_10 capability.

    I hope that these suggestions can be added in the next release. Amazing plugin.
    Lovin’ it !!!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Justin Tadlock

    @greenshady

    WordPress God

    Ideas and suggestions forum for the Members plugin is here:
    http://themehybrid.com/community/forum/ideas

    A Role with capabilities to Create but not to Edit nor Delete Roles, the plugin should still allow access into the Users >> Roles submenu. In this submenu, it should just list the roles, with the option to View Users only.

    Good idea. I’ll put that on the to-do list.

    A Role at a lower capability level (e.g., Editor) cannot Edit the capabilities of a role higher than itself (e.g., Administrator).

    Roles in WordPress are not hierarchical. One role is not “higher” or “lower” than another role. You should read this post:
    http://justintadlock.com/archives/2009/08/30/users-roles-and-capabilities-in-wordpress

    When creating a New Role, it should not list all of the optional capabilities unless the current user is a Level_10 capability.

    User levels were deprecated a long, long time ago and are only there for legacy support. Plugins should not be using them. You’re focusing on a hierarchy again as well, and I highly encourage you to read the post I linked to.

    Hi Justin,

    Thanks for the link to your plugin forum. But since the discussion has initiated here, I’ll continue from here.

    Glad to know that the first suggestion is in your to-do list. It’ll be best to just leave the Roles submenu visible, but the manageability of the Roles will depend on the current user’s capabilities – Edit Roles and/or Delete Roles. View Roles will always be available even if both Edit Roles and Delete Roles are disabled, as a convenience for administrators.

    I’ve read the post you gave. Thank you for sharing. However, how does one avoid listing all of the optional capabilities for a particular Role? I foresee this will be security issue, if a member can Edit Roles in gaining access to an administrative level.

    I look forward to your next release soon.

    Cheers,
    Jason

    Justin Tadlock

    @greenshady

    WordPress God

    However, how does one avoid listing all of the optional capabilities for a particular Role? I foresee this will be security issue, if a member can Edit Roles in gaining access to an administrative level.

    First, I would consider all capabilities “optional.”

    If someone is given the edit_roles capability, I would assume you trust that person enough to actually allow them to, well, edit roles and their given capabilities. It’s no different than you giving a role the cap of edit_themes. You should trust users of that role enough to let them edit your themes.

    Using a plugin like this gives a lot of responsibility to the end user. Any changes to roles and capabilities must be changed wisely. Security should always be a major concern when changing roles and caps. There’s a reason this plugin has so much documentation — to help people not make major mistakes.

    I agree that the role capabilities are “optional”. However, it can be tricky to easily lock yourself out, which happened to me. I’d to edit the wp_user_roles in the “wp_options” table via phpmyadmin just to unlock myself. Just a precaution here!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘[Plugin: Members] Some suggestions’ is closed to new replies.
Skip to toolbar