Non Admin User Can Delete Self
-
A non-administrator user that has access to the backend plugin page can accidentally delete themselves if their user is not in the csv import file and the option “Delete users that are not present in the CSV” is selected.
Adding the following code to the get_users function args (after line 703) seems to fix this.
'exclude' => array(get_current_user_id())Thank you for the great plugin!
-
Update: While the above solution works in my particular use case, a more robust solution that checks against the editable roles is as follows:
// first get all roles global $wp_roles; $all_roles = $wp_roles->roles; // now remove editable roles $exclude_roles = array_diff(array_keys($all_roles), $editable_roles); // make sure administrator role is still in array. This continues current method of excluding administrator role in $args if ( !in_array('administrator', $exclude_roles )){ $exclude_roles[] = 'administrator'; } $args = array( 'fields' => array( 'ID' ), 'role__not_in' => $exclude_roles, 'exclude' => array(get_current_user_id()), );Note that role__in can’t be used in the situation a user has multiple roles and at least one of the roles is not in the editable_roles list and at least one of the roles is in the editable_roles list. In this situation, the user would be removed even though they have a role that is not editable by the person performing the import.
Hope this is helpful.
The topic ‘Non Admin User Can Delete Self’ is closed to new replies.
