Make WordPress Core

Opened 14 years ago

Last modified 5 years ago

#14460 new feature request

New Permission for no_user_edit so users with edit_users can't edit it

Reported by: brandonwamboldt's profile brandon.wamboldt Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Users Keywords: has-patch needs-testing dev-feedback needs-refresh
Focuses: multisite Cc:


I recently experienced a problem where I have an administrator role with full access and a site administrator role with most access including the ability add, edit, and delete users. However, I don't want the Site Administrator to be able to delete users of the role Administrator.

The change I'm proposing is a new permission or marker which states that if enabled, this user can't be changed by another user who isn't the same role. If possible, I might try to add the patch myself.

This is a fairly important issue which would is interfering with WordPress' use as a content management system, and the only work around I've found is to edit core file.

Attachments (1)

14460.patch (1.3 KB) - added by linuxologos 12 years ago.

Download all attachments as: .zip

Change History (6)

#1 @nacin
14 years ago

  • Milestone changed from Awaiting Review to Future Release

12 years ago

#2 @linuxologos
12 years ago

  • Keywords has-patch needs-testing added; user role delete immune removed

If we were to use a new capability to fix this, it seems rather simple (at first look at least).

If for example the administrator was given a "Self protect" capability, then (edit|delete)_user could be checked against this new cap. If another user could edit/delete users, he could do so only for users without the "self protect" cap, unless he himself has the same cap (the administrator in this example).

14460.patch tries to implement this through map_meta_cap(). It's a first pass. Please give an user or role the "self_protect" cap and test.

#3 @trepmal
12 years ago

In the meantime - or if this is deemed plugin-territory - this code might help:

It's just a proof-of-concept at this point and will likely require some refining and customization.

#4 @chriscct7
10 years ago

  • Focuses multisite added
  • Keywords dev-feedback added
  • Severity changed from major to normal

I could swear this is a duplicate of another ticket proposing a solution where site admins cannot delete other site admins (only network admins could delete site admins), except after extensive searching I have yet to find it.

That being said, this seems something that either could be handled by a plugin or could be handled by core. Maybe one of the core devs working on the MS improvements want to weight in on that?

#5 @chriscct7
9 years ago

  • Keywords needs-refresh added
Note: See TracTickets for help on using tickets.