IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Editor can create any new user except administrator

    • IT Nursery
    • April 7, 2022
    • 0

    I have set up a WordPress site for a client. The client has the Editor role, however I have installed the Members plugin and given the client the capability to add new users to the WP admin. This is working just fine.

    The question I have is that I would like for the client to have the ability to create new user as with the roles of a Contributor, Subscriber, Editor and Author, but NOT Administrator. The new users the client creates should not have the Administrator role. Is it possible to hide this option somehow?

    Thanks
    Vayu

    4

    It’s actually pretty easy. You need to filter into map_meta_caps and stop editors from creating/editing admins, and remove the administrator role from the ‘editable roles’ array. This class, as a plugin or in your theme’s functions.php file would do it:

    class JPB_User_Caps {

  // Add our filters
  function __construct(){
    add_filter( 'editable_roles', array($this, 'editable_roles'));
    add_filter( 'map_meta_cap', array($this, 'map_meta_cap'), 10, 4);
  }

  // Remove 'Administrator' from the list of roles if the current user is not an admin
  function editable_roles( $roles ){
    if( isset( $roles['administrator'] ) && !current_user_can('administrator') ){
      unset( $roles['administrator']);
    }
    return $roles;
  }

  // If someone is trying to edit or delete and admin and that user isn't an admin, don't allow it
  function map_meta_cap( $caps, $cap, $user_id, $args ){

    switch( $cap ){
        case 'edit_user':
        case 'remove_user':
        case 'promote_user':
            if( isset($args[0]) && $args[0] == $user_id )
                break;
            elseif( !isset($args[0]) )
                $caps[] = 'do_not_allow';
            $other = new WP_User( absint($args[0]) );
            if( $other->has_cap( 'administrator' ) ){
                if(!current_user_can('administrator')){
                    $caps[] = 'do_not_allow';
                }
            }
            break;
        case 'delete_user':
        case 'delete_users':
            if( !isset($args[0]) )
                break;
            $other = new WP_User( absint($args[0]) );
            if( $other->has_cap( 'administrator' ) ){
                if(!current_user_can('administrator')){
                    $caps[] = 'do_not_allow';
                }
            }
            break;
        default:
            break;
    }
    return $caps;
  }

}

$jpb_user_caps = new JPB_User_Caps();

    EDIT

    Ok, so I took a look into why it was letting user deletion slip through. It looks like delete_user is handled slightly differently from edit_user; I’ve modified the map_meta_cap method to work around this. I’ve tested on 3.0.3 and this will prevent anybody but administrators from actually deleting, editing, or creating an administrator.

    EDIT 2

    I updated the code to reflect @bugnumber9 ‘s answer below. Please go give that answer an upvote!

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *