I got a copy of Beaver Builder Pro plugin version 2.1.2.4 for testing from one of the clients. The result of my investigation below:
User Role Editor (URE) does not limit superadmin – for WordPress single site URE counts as a superadmin any user with ‘administrator’ role and uses WordPress’s own is_super_admin() function for the multisite installation only. URE is written this way as WordPress counts as a superadmin for single site installation any user with ‘delete_users’ capability. Such user is not a real superadmin for many cases with multiple users who can edit users only with limited roles available for the selection.
Beaver Builder (BB) plugin developers counts that they may work with user permissions very-very freely. If WordPress counts someone as a superadmin, but he does not have ‘administrator’ role for some reason. let’s grant this role to him. Why not?
Thus, even if you did not plan to grant to someone the ‘administrator’ role, just allow him to delete users, BB plugin will make it for you very freely and easily.
My conclusion – it’s incorrect way of working with user permissions.
In theory BB should grant not ‘administrator’ role, but the full list of BB capabilities only and not directly to a current user, but to ‘administrator’ role only. Some subset may be granted to editor role, etc. Leave the decision what user what permission has at the site to the site administrator, do not decide so critical question for him behind the scene.
Workaround: comment lines 255, 256, 257 at bb-plugin/classes/class-fl-builder-user-access.php file and do not forget to repeat that after every BB plugin update until they update this part of code with something more compatible with security requirements.
