Administrative permissions (restrictions) not working

  • Hi,
    I’m having a problem restricting a user role from editing other user roles. I want to give a specific User role the capability to edit or delete certain specific user roles. I created a new User role -> Clicked on “Can edit other member accounts” -> “Can edit these user roles only” made a few selections -> enabled WP capability edit_user – updated user role. When logged in as this user role (with no WP role assigned to it) I was able to access all users, and edit them, including the Administrator role. This is terrible, because it gives the user the capability to change the Admin role of the Administrator.

    Even with the edit_users WP capability disabled, the Admin user can still be deactivated under UM Action.

    I’m using the latest update 2.0.38
    Any suggestions?

    Peter

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Ultimate Member Support

    (@ultimatemembersupport)

    Hi @peterhl,

    Can you please clarify what do you mean “When logged in as this user role (with no WP role assigned to it)”?

    I’ve double checked this issue on our test site and I couldn’t replicate it.
    Do you have any other membership plugins or role editing plugins?
    This issue can be due to some conflicts with your theme or other plugins, please do a quick conflict test and see if this issue goes away.
    Here is the doc on how to do a conflict test if you are not sure how to do it.

    Regards.

    Thread Starter PeterHl

    (@peterhl)

    Hi,
    What I meant was that I did not assign the newly created user a WordPress role, i.e. admin, editor, author, contributor or susbscriber, just gave them a UM role and selected WordPress capabilities, e.g. can edit users, but only non-admin. Then when I logged in as this new user, I could still edit the admin user and change it’s assigned role. So the selections I picked for WP capabilities for this new user seemed to have been ignored.

    I’m not using any other membership or role editing plugin. don’t think it is a theme conflict since all the user editing happens in the back-end.

    Peter

    Thread Starter PeterHl

    (@peterhl)

    Hi again,

    I copied the site to a dev site and did the conflict test. The problem persisted. A user whose Administrative Permissions were set to Edit or Delete only non-admin users was still able to edit all users, but strangely not delete any users – the delete option was not displayed.

    As it is now, I can only grant user edit and delete privileges to administrators, otherwise I run the risk of an unauthorized user editing out the administrator’s designation and taking over by assigning themselves as an admin.

    This is not how this plugin was intended to work, I’m sure. Help?

    Peter

    Thread Starter PeterHl

    (@peterhl)

    Hi

    Any advice/follow-up on this question?

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Administrative permissions (restrictions) not working’ is closed to new replies.