IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Remove Ability for Administrators to Delete Administrators

    • IT Nursery
    • May 24, 2022
    • 0

    I’ve been studying roles and capabilities and have worked with and worked up a bunch of awesome code for creating unique capabilities and roles. I have created a “Master Editor” role to maintain users with almost every capability…
    However, edit_users & delete_users obviously allows for an editor to CUD users, including the existing administrators…

    At the moment I’m to new at coding to be confident editing users.php but I have to be close to the solution:

    if ( ! current_user_can( 'delete_users' ) ) 
// or is trying to delete an admin's $userids 
wp_die(__('You can’t delete users.')); // or administrators

$update="del";
$delete_count = 0;

foreach ( $userids as $id ) {
    if ( ! current_user_can( 'delete_user', $id ) )
        wp_die(__( 'You can’t delete that user.' ) );

    if ( $id == $current_user->ID ) {
        $update="err_admin_del";
        continue;
    }
    switch ( $_REQUEST['delete_option'] ) {
    case 'delete':
        wp_delete_user( $id );
        break;
    case 'reassign':
        wp_delete_user( $id, $_REQUEST['reassign_user'] );
        break;
    }
    ++$delete_count;
}

    I can’t figure out how to check that the $userids in question are an administrators user ID. Because if I can I could add that to the die… Am I on the right track?
    Thanks in advance.

    2 Answers
    2

    Your question seems to boil down to this

    I can’t figure out how to check that the $userids in question are an
    administrators user ID.

    Try

    user_can($id,'administrator')

    http://codex.wordpress.org/Function_Reference/user_can

    The Codex has a warning about using role names with the current_user_can function and it is very similar to user_can so I suppose caution is order until the conflicting instructions are sorted.

    Do not pass a role name to current_user_can(), as this is not
    guaranteed to work correctly.

    The same page also says:

    $capability
    (string) (required) capability or role name
    Default: None

    As does the source:

    • @param string $capability Capability or role name.

    Are you hacking core file? The users.php isn’t this users.php is it? That is a high maintenance path your are going down if it is.

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *