Make WordPress Core

Opened 19 years ago

Closed 19 years ago

Last modified 18 years ago

#1645 closed defect (bug) (fixed)

You can deactivate the only administrator!

Reported by: markjaquith's profile markjaquith Owned by: markjaquith's profile markjaquith
Milestone: Priority: normal
Severity: major Version: 1.6
Component: Administration Keywords: bg|has-patch bg|squashed bg|commit
Focuses: Cc:

Description

If you go to Authors & Users => Edit (next to 'admin'), you can change the role of the 'admin' user to something lower. Bad! Resetting had to be done manually through SQL.

You shouldn't be able to adjust the role of the primary admin user, and people shouldn't be able to demote themselves.

::pokes Owen, who knows all about this new system::

Attachments (1)

users.php.2.patch (3.5 KB) - added by ringmaster 19 years ago.
Oops. This one handles deleting yourself, too.

Download all attachments as: .zip

Change History (12)

#1 @davidhouse
19 years ago

I'm in the process of patching this. Design decision: do we allow more than one administrator, or can we just grey out the box for editing the role on user-edit.php if the user is an administrator?

#2 @skeltoac
19 years ago

My gut tells me we should prohibit sepiku. (hehe) I would let the superuser do anything but bust his own caps. (oh, bad)

#3 @ringmaster
19 years ago

  • Keywords bg|patch added; bg|needs-patch removed

It's difficult to say "Administrator" when dealing with capabilities, since the names of the roles are arbitrary.

Instead, this patch prevents a user from selecting a role for themselves that does not have the edit_users capability.

To test, add this line to the bottom of your admin-footer.php, which will grant the "Editor" role with edit_users permissions:

<?php $wp_roles->add_cap('editor', 'edit_users'); ?>

#4 @markjaquith
19 years ago

  • Keywords bg|has-patch bg|squashed added; bg|patch removed

@ringmaster
19 years ago

Oops. This one handles deleting yourself, too.

#5 @ringmaster
19 years ago

Apply ONLY the second patch, please.

#6 @mikelietz
19 years ago

Works for me! I even tried deleting the currently-logged-in admin account among a list of others. The others deleted fine.

#7 @markjaquith
19 years ago

  • Keywords bg|commit added
  • Owner changed from ringmaster to markjaquith
  • Status changed from new to assigned

deleted the first patch.

new patch works for me.

#8 @MichaelH
19 years ago

Okay this works when you Set Role in user.php, but it does not work in user-edit.php! There you can change 'Administrator' Role to 'Author' and you're screwed.

user-edit.php shows these two messages when you change the Administrator role: "User updated." and "* You do not have permission to edit this user." Then it's to phpMyAdmin to reset the wp_capabilites and wp_user_level.

#9 @MichaelH
19 years ago

Okay this works when you Set Role in user.php, but it does not work in user-edit.php! There you can change 'Administrator' Role to 'Author' and you're screwed.

user-edit.php shows these two messages when you change the Administrator role: "User updated." and "* You do not have permission to edit this user." Then it's to phpMyAdmin to reset the wp_capabilites and wp_user_level.

[Edit: maybe this should be posted under [http://trac.wordpress.org/ticket/1825 1825] which added Role changing to user-edit.php. I'm guessing the code in user.php that's like:

if($id == $current_user->id && !$wp_roles->role_objects[$_POSTnew_role?]->has_cap('edit_users'))

should be added to user-edit.php.

#10 @matt
19 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [3061]) Update all to eol-style: native, also fixes #1645

#11 @(none)
18 years ago

  • Milestone 2.0 deleted

Milestone 2.0 deleted

Note: See TracTickets for help on using tickets.