Support » Plugin: User Switching » Preventing Editors from becoming Admins – user_roles – membership site security

  • Resolved thezman


    Thanks for a great plugin! was very useful. only 1 little thing…

    Please consider the following problem:
    Any user lower than an Administrator who has been given access (such as a custom role like membership_manager or blog_manager) can use this tool to bypass security by switching to an Administrator.

    1 Add some user permissions and wp_role capabilities that can be controlled via code.
    ex: ROLE/CAP: user_can_become_admin, user_can_become_editor, ect…

    2 A checkbox restriction or built in control mechanism that makes sure lower level users such as subscribers can not become editors, or editors can not become admins

    3 maybe a HOOK that we can drop into functions.php that alows restriction by user_id or user_nicename, where an array can be passed into user-switching that has a list of banned users

    To conclude:
    Main issue to look at here is preventing people from becoming “admins”

    Note: this is mainly a problem with the toolbar version of this plugin because it lets users search by username. I was able to mod the plugin to prevent the ADMIN from being found, but its a hack and I want to be able to do this without a hack.

    • This topic was modified 2 years, 10 months ago by thezman.
Viewing 1 replies (of 1 total)
  • Plugin Author John Blackbourn


    WordPress Core Developer

    Thanks for the message.

    The ability to switch to a given user is directly mapped to the ability to edit that user. If you’ve given a users the ability to edit other users then they’ll be able to switch to them too.

    It doesn’t really make sense to remove the ability to switch to a user if you can edit that user, because there is no security benefit. If you can edit a user, you can change the user’s password, change their profile information, etc.

    You should probably look at whether your users need the ability to edit Administrators on the site.


Viewing 1 replies (of 1 total)
  • The topic ‘Preventing Editors from becoming Admins – user_roles – membership site security’ is closed to new replies.