Stop Users Switching to Admin

  • Resolved harpo1984

    (@harpo1984)


    7 years, 4 months ago

    Hi John,

    I’ve read some of the topics here and also some of the guidance on your website but I must be missing something or doing something wrong. I’ve cloned the Author role and added the custom ability to switch users and allowed access to the List Users ability.

    However, I’ve not given the cloned Author role the capability to edit users and yet this cloned Author is able to switch to any Admin role. I thought this would not be possible?

    Kind regards,

    Simon

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    7 years, 4 months ago

    Did you grant the switch_users capability? If so, they’ll be able to switch to anybody. There’s nothing inherent that stops a user switching into an Administrator role.

    For fine-grained control such as this, you’ll need to use the map_meta_cap or user_has_cap filters in WordPress and dynamically grant or deny the switch_to_user capability based on the target user ID.

    Thread Starter harpo1984

    (@harpo1984)

    7 years, 4 months ago

    Hi John,

    Thanks for replying so quickly. I did add the switch_users capability to the cloned Author role.

    If I understand correctly, you’re saying that I could use filters, for example to deny a user with the switch_users capability the ability to switch to a user with Admin credentials if I know the ID of the Admin user on the site?

    There are three Admin users I would need to stop the cloned Author user with switch_users capability from being able to switch to any of those Admins.

    Or, are you saying that even with these fine tuned controls, the user with the switch_users capability would still to be able to switch to any Admin user?

    Kind regards,

    Simon

    Thread Starter harpo1984

    (@harpo1984)

    7 years, 4 months ago

    @johnbillion Sorry to tag and bump this! I know it’s not cool, especially as the support is free…but I was wondering if you had a chance to look at my last message for clarification?

    Sorry to hassle you.

    Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    7 years, 3 months ago

    Yes that’s right. If you remove the switch_users capability from that role and switch to only using the map_meta_cap or user_has_cap filters, you can dynamically grant or deny the switch_to_user capability based on the target user ID, or the target user role, etc.

    Take a look at the filter_user_has_cap() method in the User Switching plugin itself to see what kind of logic User Switching does itself.

    John

    Thread Starter harpo1984

    (@harpo1984)

    7 years, 3 months ago

    @johnbillion Thanks so much for confirming this!

    I have looked at the filters and I am having some issues, are you able to provide a quote for custom support to help me set up the filters, initially and then I will sew if I can manage them from there?

    If you can help, me, please, let me know the best way to get in touch and the quote and I will come back to you ASAP. The work is urgent.

    Thanks for your patience with this matter so far.

    Kind regards,

    Simon

    Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    7 years, 3 months ago

    No problem!

    Unfortunately I’m not available for custom development work (too busy :D). You might have some luck on https://codeable.io/.

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Stop Users Switching to Admin’ is closed to new replies.