Support » Plugin: Members - Membership & User Role Editor Plugin » Protecting Administrator from Promote User Capabilities

  • Resolved jimsihk

    (@jimsihk)


    The plugin works perfectly but I am wondering if there is any way to protect administrators being removed from the administrator role when there is another user who has a custom role of approving new joiners and change user role? I tried and it seems below capabilities will be minimum necessary for the purpose but also tried can remove the administrator role from administrators which is quite dangerous for a user approver…
    1. General > Read
    2. Users > List Users
    3. Users > Promote Users

    • This topic was modified 10 months, 2 weeks ago by jimsihk.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Caseproof

    (@caseproof)

    Hi @jimsihk

    I set those capabilities to custom role:

    1. General > Read
    2. Users > List Users
    3. Users > Promote Users

    but when I switched to this user account I couldn’t delete or edit Administrator. Are these the only capabilities your custom role has?

    Best

    Thread Starter jimsihk

    (@jimsihk)

    Hi @caseproof,

    Sorry for the late. I have tried with your setup and found that at the list user page, the “edit” button did disappeared under the user name. However, if I try to change roles in batch, it could be able to remove the administrator right of administrators.

    Best

    Thread Starter jimsihk

    (@jimsihk)

    Also, not sure if this is expected, users with this custom role could also add the administrator role to themsleves.

    • This reply was modified 9 months, 4 weeks ago by jimsihk.
    Plugin Author Caseproof

    (@caseproof)

    Could you please double-check that the “Position” of your custom role in the Members → Role table is lower than “position” of Administrator role? If this position value is lower, users with this role shouldn’t be able to edit users with the greater “position”.

    Hopefully, that helps.

    Thread Starter jimsihk

    (@jimsihk)

    I checked the page Members → Role, Administrator is at the top of the table with the default sorting applied.

    Similarly I also check the edit user profile page, the Administrator is also at the top of the list box.

    See if anything I could share more to help.

    My PHP version is 7.4.27 with Members 3.1.7.

    thegirlinthecafe

    (@thegirlinthecafe)

    I have the same problem. Someone who is not an admin can still create an admin user.

    I have create Users and Promote users ticked, but if I don’t tick Promote users, the non admin user can’t choose any user role at all.

    Thread Starter jimsihk

    (@jimsihk)

    @caseproof Are there any thought? Or do you need any screen captures?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Protecting Administrator from Promote User Capabilities’ is closed to new replies.