[Plugin: Extended Super Admins] Created role can still network deactivate plugin

Hi,

Setup: Extended Super Admins (ESA) Plugin installed on a fresh WP 3.2 Multi-site

I created a new role and applied it to a super admin named SAdmin. I configured the role and removed all capabilities except for installing, editing and activating/deactivating Themes and Plugins across the network. I also removed the manage_esa_options capability. Again, I disabled all other capabilities. No access to Site Admin as well.

Removing the capability for network_esa_options also removed the ability of SAdmin to access the ESA settings. This is what I need. It works really well now on the fresh WP 3.2 with the new 0.6.1 version (many thanks to Curtiss Grymala).

However, since SAdmin has access to the Plugins menu, it can also click on the options of the ESA plugin itself. Below is a list of what happens when clicking on the ESA options under Plugins:

Settings – a message appeared: You do not have sufficient permissions to access this page (this is ok and expected)

Network Deactivate – it deactivated ESA plugin and therefore gave SAdmin full access to the Network (this is not ok)

Edit – it allowed SAdmin access to the source code (I’m not sure if this is ok)

Delete Settings – a message appeared: You do not have sufficient permissions to access this page (this is ok and expected)

Is it possible that if the capability network_esa_options is checked/removed from the role, the super admin belonging to the role will not be able to deactivate the plugin as it defeats the purpose of removing the capability? This means that the expected response is also ‘You do not have sufficient permissions to access this page’. Could this restriction be also applied when clicking on Edit? However, SAdmin must still be able to have full access to all other installed plugins (except for ESA of course).

I hope I’m not complicating things.

Thanks for any assistance.

Phil