Support » Plugin: User Role Editor » [Plugin: User Role Editor] Need Admin Role protection

  • User Role Editor is a beautiful plugin.

    I created a new role called “Owner” with the ability to create, add, edit and remove users. What I like is that the “Owner” role is not able to edit Admin roles, but it is able to delete Admin roles. Anyway to protect the Admin roles from being deleted?

    I thought of using the Superadmin plugin but I’m not too sure about that option yet.

Viewing 9 replies - 1 through 9 (of 9 total)
  • I’m interested too

    justinfyi: the Superadmin plugin doesn’t work correctly with User Role Editor.

    Thanks for the heads up infohowdy. I was just about to check that out.

    this sound strange, in this part of code user with minor level can’t delete user with upper lever…

    // We have to vulnerable queries id users admin interfase which should be processed
    // 1st:
    // 2nd:
    // If put Administrator user ID into such request, user with lower capabilities (if he has ‘edit_users’)
    // can edit, delete admin record
    // This function removes ‘edit_users’ capability from current user capabilities
    // if request has admin user ID in it
    function ure_not_edit_admin($allcaps, $caps, $name) {

    global $ure_userToEdit;

    $userKeys = array(‘user_id’, ‘user’);
    foreach ($userKeys as $userKey) {
    $accessDeny = false;
    if (isset($_GET[$userKey])) {
    $ure_UserId = $_GET[$userKey];
    if ($ure_UserId==1) { // built-in WordPress Admin
    $accessDeny = true;
    } else {
    if (!isset($ure_userToEdit[$ure_UserId])) {
    // check if user_id has Administrator role
    $accessDeny = ure_has_administrator_role($ure_UserId);
    } else {
    // user_id was checked already, get result from cash
    $accessDeny = $ure_userToEdit[$ure_UserId];
    if ($accessDeny) {

    return $allcaps;
    // end of ure_not_edit_admin()

    function ure_init() {

    global $current_user;

    if (!empty($current_user->ID)) {
    $user_id = $current_user->ID;
    } else {
    $user_id = 0;

    // these filters and actions should prevent editing users with administrator role
    // by other users with ‘edit_users’ capabilities
    if (!ure_is_admin($user_id)) {

    // Exclude administrator role from edit list.
    add_filter(‘editable_roles’, ‘ure_excludeAdminRole’);
    // Enqueue jQuery
    add_action(‘admin_enqueue_scripts’ , ‘ure_admin_jquery’ );
    // Hide Administrator from list of users
    add_action(‘admin_head’ , ‘ure_admin_user_hide’);
    // prohibit any actions with user who has Administrator role
    add_filter(‘user_has_cap’, ‘ure_not_edit_admin’, 10, 3);


    // end of ure_init()

    Unfortunately even a snippet of code from this doesn’t seem to be working as my owner deleted the administrator with User ID 1.

    if ($ure_UserId==1) { // built-in WordPress Admin
    $accessDeny = true;

    Would be nice to get this to function as expected.

    justinfyi this hide options but if you bypass by a url query you can delete administrators.
    I think the only way is to modify the wp-admin/users.php page

    justinfyi in the file wp-admin/users.php around line 171

    if ( $id == $current_user->ID ) {

    add some rule here

    if ( $id == $current_user->ID || $user->user_level == 10) {

    I know this is not flair solution…

    Plugin Author Vladimir Garagulia



    Could you please give me more details, what exactly your user with Owner role did? With what action he deleted user with ID=1? Direct URL call, link in the WP admin interface click? I wish to reproduce that and find the solution.
    What WP version do you use? Under multi-site WordPress your ‘owner’ could have superadmin privileges…


Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘[Plugin: User Role Editor] Need Admin Role protection’ is closed to new replies.