"New User Default Role" dropdown should order by privilege level

[novasource]

The New User Default Role dropdown at wp-admin/options-general.php is in spiffy random order:

• Subscriber
• Administrator
• Editor
• Author
• Contributor

This UI bug suggests that Subscriber and Contributor are the opposite poles of privilege levels. In fact, they are successive steps in increasing privilege. Also, it doesn't make sense to put the least and greatest privileges, Subscriber and Administrator, next to each other.

Please let proximity and position serve their purpose: order this dropdown by level of access, starting with the least access:

• Subscriber
• Contributor
• Author
• Editor
• Administrator

[nacin]

I wonder if we should hide Administrator by default. I wasn't aware we even offered all roles as an option.

[jane]

Why would we not offer all roles as an option? All roles should be offered.

Visual hierarchy would place those with the most access at the top, not the bottom. Subscriber should be the bottom choice. It is probably at the top b/c when it was coded originally the devs decided that would be the default role rather than forcing the admin to choose by making the default menu state "Select Role" or something.

[novasource]

Visual hierarchy would place those with the most access at the top, not the bottom. Subscriber should be the bottom choice. It is probably at the top b/c when it was coded originally the devs decided that would be the default role rather than forcing the admin to choose by making the default menu state "Select Role" or something.

Counterpoint: It's good to encourage use of least privilege roles. Whatever's at the top is more likely to be selected than whatever's at the bottom. Therefore, put least privilege roles at the top.

Also, while ordering has meaning, what is it being ordered on? If it's being ordered on preferred roles, then least privilege at the top is exactly what you want.

[scribu]

User roles are not hierarchical, therefore they can not be ordered programatically by "privilege level".

[novasource]

Hold on, there's no creative way around this problem? Default roles couldn't somehow be arbitrarily ordered in the presentation layer? I don't want to give up on this so easily. It's a poor practice for the UI to not distinguish between hierarchical security roles.

[scribu]

Sure, the default roles could be sorted by hand.

hierarchical security roles

I have no idea what that means.

[novasource]

By "hierarchical security roles", I mean there's a relationship between any 2 roles where role A contains all of role B's privileges and more. So you can set up a hierarchy of roles with progressive authority like A > B > C > D > E.

[greenshady]

Where do custom roles fit into all of this? What about custom capabilities? Or, when the capabilities have been changed for a particular role?

And, how do you decide if a capability is "higher" than another capability? Roles are just groups of capabilities, so the decision would have to be made on the capability layer.

[novasource]

I figure the dropdown would show the delivered roles, in order, at the top. Then all custom roles would appear below?

[scribu]

It's not a technical problem: custom roles could indeed be added at the bottom, and then a filter could be added, to allow plugins to re-order them as they please.

It's a cognitive problem: you assume roles are hierarchical, which is not necessarily true.

They were hierarchical when user levels were used and they still look hierarchical now, but they need not be, as greenshady said.

[novasource]

Let's not get into semantics. Per ​http://codex.wordpress.org/Roles_and_Capabilities#Capability_vs._Role_Table, there is an obvious hierarchy of permissions in the default roles, and you can order the roles so that for any role X, there is a role Y that has all of X's privileges and more.

[nacin]

The core roles are hierarchical and wherever they are displayed, they should be ordered hierarchically.

Any other role, we cannot make such assumptions.

[scribu]

Related: #16841

[mario-siteground]

We have some sample solution of the problem, but there is one controversial point. I apply the two patches.

• one with generic sort - all roles are sorted by capability count (we could discuss this criteria as we need some balance between productivity and end functionality)
• second, separating them by type (default, custom). then sorting by capabilities is applied - first to default roles (which results in the order that we already know) and then on the custom.

The problem is that the function wp_dropdown_roles reorders them without the filter and places the default user role as first option element in the select, which is probably done for backwards compatibility, where selected="selected" could work in other way then expected. What would be the best solution for that matter?

[markoheijnen]

We shouldn't add any sorting to this array at all. By default we give in the order we want and if someone adds a custom role added at the end. And with a filter you still can provide the right order.

[nofearinc]

Related: #1511, #14578.

Fixed in #14578 with changeset 25695.