#1645 closed defect (bug) (fixed)
You can deactivate the only administrator!
Reported by: | markjaquith | Owned by: | markjaquith |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 1.6 |
Component: | Administration | Keywords: | bg|has-patch bg|squashed bg|commit |
Focuses: | Cc: |
Description
If you go to Authors & Users => Edit (next to 'admin'), you can change the role of the 'admin' user to something lower. Bad! Resetting had to be done manually through SQL.
You shouldn't be able to adjust the role of the primary admin user, and people shouldn't be able to demote themselves.
::pokes Owen, who knows all about this new system::
Attachments (1)
Change History (12)
#2
@
19 years ago
My gut tells me we should prohibit sepiku. (hehe) I would let the superuser do anything but bust his own caps. (oh, bad)
#3
@
19 years ago
- Keywords bg|patch added; bg|needs-patch removed
It's difficult to say "Administrator" when dealing with capabilities, since the names of the roles are arbitrary.
Instead, this patch prevents a user from selecting a role for themselves that does not have the edit_users capability.
To test, add this line to the bottom of your admin-footer.php, which will grant the "Editor" role with edit_users permissions:
<?php $wp_roles->add_cap('editor', 'edit_users'); ?>
#6
@
19 years ago
Works for me! I even tried deleting the currently-logged-in admin account among a list of others. The others deleted fine.
#7
@
19 years ago
- Keywords bg|commit added
- Owner changed from ringmaster to markjaquith
- Status changed from new to assigned
deleted the first patch.
new patch works for me.
#8
@
19 years ago
Okay this works when you Set Role in user.php, but it does not work in user-edit.php! There you can change 'Administrator' Role to 'Author' and you're screwed.
user-edit.php shows these two messages when you change the Administrator role: "User updated." and "* You do not have permission to edit this user." Then it's to phpMyAdmin to reset the wp_capabilites and wp_user_level.
#9
@
19 years ago
Okay this works when you Set Role in user.php, but it does not work in user-edit.php! There you can change 'Administrator' Role to 'Author' and you're screwed.
user-edit.php shows these two messages when you change the Administrator role: "User updated." and "* You do not have permission to edit this user." Then it's to phpMyAdmin to reset the wp_capabilites and wp_user_level.
[Edit: maybe this should be posted under [http://trac.wordpress.org/ticket/1825 1825] which added Role changing to user-edit.php. I'm guessing the code in user.php that's like:
if($id == $current_user->id && !$wp_roles->role_objects[$_POSTnew_role?]->has_cap('edit_users'))
should be added to user-edit.php.
I'm in the process of patching this. Design decision: do we allow more than one administrator, or can we just grey out the box for editing the role on user-edit.php if the user is an administrator?