Plug-ins: allow updates, disallow add new

Not as simple as a wp-config.php entry. There are separate capabilities involved: update_plugins, edit_plugins, and install_plugins. It’s a matter of granting their user or role the right capabilities without granting install_plugins.

Because capabilities and roles persist, some one time code to set this up could be run. Or install one of several role and capability management plugins and use their UI to do the same. You can deactivate the plugin when you are finished.

OK, I think I see what I need. The function to use is remove_cap(‘install_plugins’), and apply it to administrators. Does that look right?

Well, remove_cap() is a WP_Role method, so actually:
get_role('administrator')->remove_cap('install_plugins');
(call from ‘admin_init’ action callback, make a backend request to run the code, then remove the code. No point in doing this on every request)

But then NO ONE will be able to add more plugins unless you have some custom role somewhere. Add the capability to your or someones WP_User object.

Yep – I was just writing pseudo/incomplete code from my phone when I replied yesterday. Of course it would need to be scripted properly to make it work, and I appreciate the pointers.

But that’s exactly what I’m looking for – a way to outright block *anyone* from adding new plug-ins while still allowing plug-ins to be updated. When a new plug-in is needed, we can comment out the blocking mechanism and add the plug-in ourselves. This is for site’s we are contracted to host, manage, maintain, update and Webmaster. There are clients who will want/need admin privileges for other reasons, and we don’t want them adding plug-ins unless we’ve vetted them first to ensure they’re being actively supported and won’t conflict with other plug-ins we’ve installed into the sites (almost all of them are sites we’ve built). A role editor plug-in seemed like more overhead than necessary and more trouble to configure than just dropping a couple lines of code into our themes.

So if NO ONE can add a plug-in, and we can manually turn this on and off by editing the theme functions file directly (or a child theme functions.php page for the occasional site where we use something off-the-shelf), that’s golden! Thanks for pointing me in the right direction ??

That’s fine if you want to go that way. One small correction in your concept. It will not be just a matter of commenting out when dealing with capabilities. You’ll need code explicitly adding it back to the role. You see, capabilities are written to the DB and persist until opposing code changes it.

You could (and should) comment out the code as soon as it is run once and the change will persist. This is why you needn’t worry about a role management plugin overhead. Once you’ve set what you want, you can deactivate it. AFAIK there are no configuration or setup procedures for such plugins. Naturally there’s a small learning curve, like less than 5 minutes of poking around. The advantage of such a plugin is sometimes you need to try different capabilities until you get the correct behavior, they are not always as intuitive as they seem. The plugin UI makes this easy. But if you know for sure what you need, custom code is just as effective. I’m pretty sure we’ve got this one right ??

> capabilities are written to the DB and persist until opposing code changes it.

I learned something new here – thank you! I thought this was a check done with each page load. It makes sense that it would be build into the database, now that you mention it. But I thought altering permissions was handled in real-time against the default user role capabilities, and not a stored variable. This is very good to know.