Change WordPress user roles and capabilities Forums Give user access to plugin – how to Prevent Admin user from removing other Admin users

This topic contains 12 replies, has 2 voices, and was last updated by  Vladimir 1 month, 3 weeks ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • #5660

    officezen
    Participant

    I’m not sure which forum category this falls under, but is it possible to set this up?

    #5673

    Vladimir
    Keymaster

    Excuse for a delay with answer – I had 2 weeks vacation.

    This is a feature active at User Role Editor by default.
    Any user with ID not equal 1 (WordPress default admin user) which has ‘edit_users’ capability does not see users with ‘administrator’ role.
    Pay attention that if user has ‘ure_manage_options’ capability URE counts him as a superadmin and does not apply to him any restrictions.

    Another way to restrict what users are shown (available for editing/deletion) to the current user is Other roles access add-on.

    #5703

    officezen
    Participant

    My original admin with user ID 1 (Admin: A) was accidentally removed by another admin user (Admin: B) added by the original admin.

    The ure_manage_option for Admin: B IS enabled. What’s the repercussions of disabling this option?

    I still need Admin: B to be able to remove non-admin users.

    #5705

    Vladimir
    Keymaster

    If you revoke ‘ure_manage_options’ capability for user, he will lose access to Settings->User Role Editor page and stop be superadmin for URE.

    Workaround scenario:
    If you do not use plugins which directly require ‘administrator’ role instead of some user capability, you may create a copy of ‘administrator’ role for additional administrators and block this role (and users with this role) from themselves via “Other roles access” add-on.
    Then do not use user with ID=1 in a daily work.

    #5706

    officezen
    Participant

    I want to prevent this admin user from accidentally removing other admin user (myself, ID=1) while leaving him the ability to remove other non-admin users.

    So does revoking the ‘ure_manage_options’ capability from this user achieve this?

    #5707

    Vladimir
    Keymaster

    If you revoke ‘ure_manage_options’ capability for user, he will stop be superadmin for URE. Thus it will not see other users with ‘administrator’ role.
    It’s default security rule applied by URE for not superadmins.

    Be aware that if you grant to user access to Users->User Role Editor, such user can add ‘ure_manage_options’ back at any time.

    #5708

    officezen
    Participant

    I’m a bit confused by your explanation here.

    Is the admin user with no ‘ure_manage_options’ capability still able to remove non-admin users?

    #5709

    Vladimir
    Keymaster

    Yes, he will be able to delete users without this capability.

    ‘ure_manage_options’ is not related to user deletion at all.
    Any user with list_users, ‘delete_users’ can delete user available to him at the Users list page.

    #5710

    officezen
    Participant

    Thank you for the confirmation.

    #5713

    officezen
    Participant

    What would be the reason I cannot deselect the “ure_manage_options” (or any other options for that matter) from the user?

    Clicking on the blue checkmark does nothing.

    #5714

    Vladimir
    Keymaster

    I suppose you try to revoke capability from administrator role. URE does not allow this to prevent accident lose of access to the site management.

    Workaround – create a full copy of administrator role, revoke unneeded capabilities from it. Grant it to your other admins.

    #5717

    officezen
    Participant

    Where would I create a full copy of admin role, etc.?

    I cannot seem to be able to locate that option.

    #5719

    Vladimir
    Keymaster

    1) Users->User Role Editor->Add Role
    2) Select ‘Administrator’ at ‘Make copy of’ drop-down menu
    If ‘Administrator’ role is not available for selection, go to Settings->User Role Editor->General and turn ON ‘Show Administrator role at User Role Editor’ option.

    Or add new role even empty, then click a checkbox to the left from the “Quick filter” label. It will select all capabilities. Update Role.

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.