WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 4 months ago

#15636 closed defect (bug) (duplicate)

"New User Default Role" dropdown should order by privilege level

Reported by: novasource Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0.2
Component: Users Keywords:
Focuses: Cc:

Description

The New User Default Role dropdown at wp-admin/options-general.php is in spiffy random order:

  • Subscriber
  • Administrator
  • Editor
  • Author
  • Contributor

This UI bug suggests that Subscriber and Contributor are the opposite poles of privilege levels. In fact, they are successive steps in increasing privilege. Also, it doesn't make sense to put the least and greatest privileges, Subscriber and Administrator, next to each other.

Please let proximity and position serve their purpose: order this dropdown by level of access, starting with the least access:

  • Subscriber
  • Contributor
  • Author
  • Editor
  • Administrator

Attachments (2)

15636.1.patch (1.1 KB) - added by mario-siteground 17 months ago.
15636.typed.1.patch (1.7 KB) - added by mario-siteground 17 months ago.

Download all attachments as: .zip

Change History (21)

comment:1 nacin3 years ago

  • Milestone changed from Awaiting Review to Future Release

I wonder if we should hide Administrator by default. I wasn't aware we even offered all roles as an option.

comment:2 nacin3 years ago

  • Keywords ux-feedback added; security removed
  • Type changed from defect (bug) to enhancement

comment:3 jane3 years ago

  • Keywords ux-feedback removed

Why would we not offer all roles as an option? All roles should be offered.

Visual hierarchy would place those with the most access at the top, not the bottom. Subscriber should be the bottom choice. It is probably at the top b/c when it was coded originally the devs decided that would be the default role rather than forcing the admin to choose by making the default menu state "Select Role" or something.

comment:4 novasource3 years ago

Visual hierarchy would place those with the most access at the top, not the bottom. Subscriber should be the bottom choice. It is probably at the top b/c when it was coded originally the devs decided that would be the default role rather than forcing the admin to choose by making the default menu state "Select Role" or something.

Counterpoint: It's good to encourage use of least privilege roles. Whatever's at the top is more likely to be selected than whatever's at the bottom. Therefore, put least privilege roles at the top.

Also, while ordering has meaning, what is it being ordered on? If it's being ordered on preferred roles, then least privilege at the top is exactly what you want.

comment:5 scribu3 years ago

  • Milestone Future Release deleted
  • Resolution set to invalid
  • Status changed from new to closed

User roles are not hierarchical, therefore they can not be ordered programatically by "privilege level".

comment:6 novasource3 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

Hold on, there's no creative way around this problem? Default roles couldn't somehow be arbitrarily ordered in the presentation layer? I don't want to give up on this so easily. It's a poor practice for the UI to not distinguish between hierarchical security roles.

comment:7 scribu3 years ago

  • Keywords 2nd-opinion added
  • Milestone set to Future Release

Sure, the default roles could be sorted by hand.

hierarchical security roles

I have no idea what that means.

comment:8 novasource3 years ago

By "hierarchical security roles", I mean there's a relationship between any 2 roles where role A contains all of role B's privileges and more. So you can set up a hierarchy of roles with progressive authority like A > B > C > D > E.

comment:9 greenshady3 years ago

Where do custom roles fit into all of this? What about custom capabilities? Or, when the capabilities have been changed for a particular role?

And, how do you decide if a capability is "higher" than another capability? Roles are just groups of capabilities, so the decision would have to be made on the capability layer.

Last edited 3 years ago by greenshady (previous) (diff)

comment:10 novasource3 years ago

I figure the dropdown would show the delivered roles, in order, at the top. Then all custom roles would appear below?

comment:11 scribu3 years ago

It's not a technical problem: custom roles could indeed be added at the bottom, and then a filter could be added, to allow plugins to re-order them as they please.

It's a cognitive problem: you assume roles are hierarchical, which is not necessarily true.

They were hierarchical when user levels were used and they still look hierarchical now, but they need not be, as greenshady said.

Last edited 3 years ago by scribu (previous) (diff)

comment:12 novasource3 years ago

Let's not get into semantics. Per http://codex.wordpress.org/Roles_and_Capabilities#Capability_vs._Role_Table, there is an obvious hierarchy of permissions in the default roles, and you can order the roles so that for any role X, there is a role Y that has all of X's privileges and more.

comment:13 nacin3 years ago

  • Keywords 2nd-opinion removed
  • Type changed from enhancement to defect (bug)

The core roles are hierarchical and wherever they are displayed, they should be ordered hierarchically.

Any other role, we cannot make such assumptions.

comment:14 scribu3 years ago

Related: #15636

Version 0, edited 3 years ago by scribu (next)

comment:15 SergeyBiryukov3 years ago

  • Keywords needs-patch added

mario-siteground17 months ago

comment:16 mario-siteground17 months ago

We have some sample solution of the problem, but there is one controversial point. I apply the two patches.

  • one with generic sort - all roles are sorted by capability count (we could discuss this criteria as we need some balance between productivity and end functionality)
  • second, separating them by type (default, custom). then sorting by capabilities is applied - first to default roles (which results in the order that we already know) and then on the custom.

The problem is that the function wp_dropdown_roles reorders them without the filter and places the default user role as first option element in the select, which is probably done for backwards compatibility, where selected="selected" could work in other way then expected. What would be the best solution for that matter?

comment:17 markoheijnen17 months ago

We shouldn't add any sorting to this array at all. By default we give in the order we want and if someone adds a custom role added at the end. And with a filter you still can provide the right order.

comment:18 helen15 months ago

  • Component changed from UI to Users
  • Keywords ui-focus added

comment:19 nofearinc4 months ago

  • Keywords needs-patch ui-focus removed
  • Milestone Future Release deleted
  • Resolution set to duplicate
  • Status changed from reopened to closed

Related: #1511, #14578.

Fixed in #14578 with changeset 25695.

Note: See TracTickets for help on using tickets.