Granting “delete users” capability breaks UM’s “Login as this user”

  • I am the webmaster / developer for a site for a non-profit group that has annual memberships. It is a single site WordPress configuration (i.e. not multi-site).

    We use Ultimate Member to handle the membership. We use many roles to control access and capabilities. Most accounts have the role of “Member”. One other role I created is “Membership-Chair”. Anyone with that role is allowed to approve and edit “Member” accounts. As well, they can delete accounts having the role of “Lapsed Member”.

    As “Administrator” I was always able to “Login as this user” for any account on the system, including folk with the “Membership-Chair” role. A few months ago I noticed that the “Login as this user” option was no longer available to me for a “Membership-Chair” account.

    I figured out what may have been the issue: PublishPress Capabilities showed that the “Membership-Chair” role had both of the WordPress “delete users” and “remove users” capabilities included in their role.

    I found out that when “delete users” rights are allowed, I lose the “Login as this user” option on their account. But if I take away the “delete user” capability, the “Membership-Chair” loses the ability to delete users from the back-end admin “Users” screens.

    Adding or removing “remove users” rights via PublishPress makes no difference to UM “Login as this user” or to having back-end delete rights.

    Furthermore, I found out that as long as “Can delete other member accounts?” is set in the UM role definition for “Membership-Chair”, they can delete accounts from the UM profile screens even if neither one of “delete users” or “remove users” are granted via PublishPress.

    I don’t need to let Membership-Chair delete accounts via admin back-end, so my fix is to (1) make sure the Membership-Chair role “Can delete other member accounts?” is set in the UM role and (2) both “delete users” and “remove users” are NOT granted via PublishPress.

    However, and here is the “support request” part, you may want to look into why granting “delete users” wordpress capability on a role breaks UM’s “Login as this user”.

    FYI WordPress 6.1.1 running with Ultimate Member Version 2.5.4 and PublishPress Capabilities Version 2.7.0

    • This topic was modified 1 year, 9 months ago by ddrapeau.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support andrewshu

    (@andrewshu)

    Hello @ddrapeau

    Sorry for the late answer. We use checking for this menu item in the um_admin_user_actions_hook hook:

    if ( current_user_can( 'manage_options' ) && ! is_super_admin( $user_id ) ) {
		$actions['um_switch_user'] = array( 'label' => __( 'Login as this user', 'ultimate-member' ) );
}

    The is_super_admin function checks the user capability ‘delete_users’. You could check the function is_super_admin().

    If you need to change this you could override the UM hook um_admin_user_actions_hook.

    Regards.

    Plugin Support andrewshu

    (@andrewshu)

    Hi @ddrapeau

    This thread has been inactive for a while so we’re going to go ahead and mark it Resolved.

    Please feel free to re-open this thread if any other questions come up and we’d be happy to help. ??

    Regards

    Thread Starter ddrapeau

    (@ddrapeau)

    I’m not sure if this is solving the issue. This functionality worked before. I have not changed the role structure in my system and I never had any super users. Something changed on your end and the “Login as this user” is no longer available to me if that user’s role includes “delete users” rights.

    Again, I suggest you may want to look into why granting “delete users” wordpress capability on a role breaks UM’s “Login as this user” for any user with that role.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Granting “delete users” capability breaks UM’s “Login as this user”’ is closed to new replies.