justinfyi: the Superadmin plugin doesn’t work correctly with User Role Editor.
Thanks for the heads up infohowdy. I was just about to check that out.
this sound strange, in this part of code user with minor level can’t delete user with upper lever…
// We have to vulnerable queries id users admin interfase which should be processed
// 1st: http://blogdomain.com/wp-admin/user-edit.php?user_id=ID&wp_http_referer=%2Fwp-admin%2Fusers.php
// 2nd: http://blogdomain.com/wp-admin/users.php?action=delete&user=ID&_wpnonce=ab34225a78
// If put Administrator user ID into such request, user with lower capabilities (if he has ‘edit_users’)
// can edit, delete admin record
// This function removes ‘edit_users’ capability from current user capabilities
// if request has admin user ID in it
function ure_not_edit_admin($allcaps, $caps, $name) {
global $ure_userToEdit;
$userKeys = array(‘user_id’, ‘user’);
foreach ($userKeys as $userKey) {
$accessDeny = false;
if (isset($_GET[$userKey])) {
$ure_UserId = $_GET[$userKey];
if ($ure_UserId==1) { // built-in WordPress Admin
$accessDeny = true;
} else {
if (!isset($ure_userToEdit[$ure_UserId])) {
// check if user_id has Administrator role
$accessDeny = ure_has_administrator_role($ure_UserId);
} else {
// user_id was checked already, get result from cash
$accessDeny = $ure_userToEdit[$ure_UserId];
}
}
if ($accessDeny) {
unset($allcaps[‘edit_users’]);
}
break;
}
}
return $allcaps;
}
// end of ure_not_edit_admin()
function ure_init() {
global $current_user;
if (!empty($current_user->ID)) {
$user_id = $current_user->ID;
} else {
$user_id = 0;
}
// these filters and actions should prevent editing users with administrator role
// by other users with ‘edit_users’ capabilities
if (!ure_is_admin($user_id)) {
// Exclude administrator role from edit list.
add_filter(‘editable_roles’, ‘ure_excludeAdminRole’);
// Enqueue jQuery
add_action(‘admin_enqueue_scripts’ , ‘ure_admin_jquery’ );
// Hide Administrator from list of users
add_action(‘admin_head’ , ‘ure_admin_user_hide’);
// prohibit any actions with user who has Administrator role
add_filter(‘user_has_cap’, ‘ure_not_edit_admin’, 10, 3);
}
}
// end of ure_init()
Unfortunately even a snippet of code from this doesn’t seem to be working as my owner deleted the administrator with User ID 1.
if ($ure_UserId==1) { // built-in WordPress Admin
$accessDeny = true;
Would be nice to get this to function as expected.
justinfyi this hide options but if you bypass by a url query you can delete administrators.
I think the only way is to modify the wp-admin/users.php page
justinfyi in the file wp-admin/users.php around line 171
if ( $id == $current_user->ID ) {
add some rule here
if ( $id == $current_user->ID || $user->user_level == 10) {
I know this is not flair solution…
justinfyi,
Could you please give me more details, what exactly your user with Owner role did? With what action he deleted user with ID=1? Direct URL call, link in the WP admin interface click? I wish to reproduce that and find the solution.
What WP version do you use? Under multi-site WordPress your ‘owner’ could have superadmin privileges…
Thanks.
