- This topic has 12 replies, 2 voices, and was last updated 4 years, 11 months ago by
.
-
Posts
-
Excuse for a delay with answer – I had 2 weeks vacation.
This is a feature active at User Role Editor by default.
Any user with ID not equal 1 (WordPress default admin user) which has ‘edit_users’ capability does not see users with ‘administrator’ role.
Pay attention that if user has ‘ure_manage_options’ capability URE counts him as a superadmin and does not apply to him any restrictions.Another way to restrict what users are shown (available for editing/deletion) to the current user is Other roles access add-on.
My original admin with user ID 1 (Admin: A) was accidentally removed by another admin user (Admin: B) added by the original admin.
The ure_manage_option for Admin: B IS enabled. What’s the repercussions of disabling this option?
I still need Admin: B to be able to remove non-admin users.
If you revoke ‘ure_manage_options’ capability for user, he will lose access to Settings->User Role Editor page and stop be superadmin for URE.
Workaround scenario:
If you do not use plugins which directly require ‘administrator’ role instead of some user capability, you may create a copy of ‘administrator’ role for additional administrators and block this role (and users with this role) from themselves via “Other roles access” add-on.
Then do not use user with ID=1 in a daily work.I want to prevent this admin user from accidentally removing other admin user (myself, ID=1) while leaving him the ability to remove other non-admin users.
So does revoking the ‘ure_manage_options’ capability from this user achieve this?
If you revoke ‘ure_manage_options’ capability for user, he will stop be superadmin for URE. Thus it will not see other users with ‘administrator’ role.
It’s default security rule applied by URE for not superadmins.Be aware that if you grant to user access to Users->User Role Editor, such user can add ‘ure_manage_options’ back at any time.
I’m a bit confused by your explanation here.
Is the admin user with no ‘ure_manage_options’ capability still able to remove non-admin users?
Yes, he will be able to delete users without this capability.
‘ure_manage_options’ is not related to user deletion at all.
Any user with list_users, ‘delete_users’ can delete user available to him at the Users list page.What would be the reason I cannot deselect the “ure_manage_options” (or any other options for that matter) from the user?
Clicking on the blue checkmark does nothing.
I suppose you try to revoke capability from administrator role. URE does not allow this to prevent accident lose of access to the site management.
Workaround – create a full copy of administrator role, revoke unneeded capabilities from it. Grant it to your other admins.
Where would I create a full copy of admin role, etc.?
I cannot seem to be able to locate that option.
1) Users->User Role Editor->Add Role
2) Select ‘Administrator’ at ‘Make copy of’ drop-down menu
If ‘Administrator’ role is not available for selection, go to Settings->User Role Editor->General and turn ON ‘Show Administrator role at User Role Editor’ option.Or add new role even empty, then click a checkbox to the left from the “Quick filter” label. It will select all capabilities. Update Role.
- You must be logged in to reply to this topic.
