WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#16528 closed enhancement (invalid)

delete_users cap should distinguish roles

Reported by: linuxologos Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.0
Component: Role/Capability Keywords:
Focuses: Cc:

Description

Extending the approach of #16501...

If a user (other than Admin) has the edit_users cap, he can edit only user accounts which currently are given a role theoretically lower than his own (that means for example, an Editor can edit only Authors/Contributors/Subscribers).

delete_users does not distinguish roles. If a user has this cap, he can delete *any* user account. This is very powerful and makes delete_users inflexible. Practically it can not be granted to any other than Admin (otherwise the Admin *could* be deleted).

I think it would be more useful, if it worked like edit_users, unless it must be kept so powerful for some reason.

Another approach associated with this has been mentioned too: #14460. I don't know which is better or whether they can coexist.

Change History (5)

#1 @nacin
8 years ago

delete_users is basically considered the most powerful cap in single-site mode. Keys to the kingdom. When running single site, it's delete_users that determines whether a user is a "super admin."

#2 follow-ups: @scribu
8 years ago

The problem with this idea is that it assumes that roles are hierarchical.

I'm not sure how 'edit_users' distinguishes based on roles. Can't see anything in map_meta_cap().

#3 in reply to: ↑ 2 @linuxologos
8 years ago

Replying to scribu:

The problem with this idea is that it assumes that roles are hierarchical.

Yes, you are totally right. It's just edit_users that opens this area...

I'm not sure how 'edit_users' distinguishes based on roles. Can't see anything in map_meta_cap().

Me neither. I *think* it was introduced in 3.0, but I'm not sure at all.

#4 in reply to: ↑ 2 @linuxologos
7 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Replying to scribu:

I'm not sure how 'edit_users' distinguishes based on roles. Can't see anything in map_meta_cap().

Just because there is nothing there indeed...

This desirable to me behavior turned out it was offered by an active plugin. Let's close this as invalid and focus attention on the related #14460.

#5 @SergeyBiryukov
7 years ago

  • Milestone Awaiting Review deleted
Note: See TracTickets for help on using tickets.