Prevent User Role Change

  • I have created a new ‘Community Administrator’ role with User: List, Create, Delete, and Edit. I would like to disable the Role drop-down in the User edit page when the user with this role edits other users. The danger is that this user could accidentally promote a user to be another ‘Community Administrator’. Can this be done?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Vladimir Garagulya

    (@shinephp)

    There is a “Other roles access” add-on included into the Pro version. It’s possible to block roles visible for the selected role with its help.

    Other way you may use ‘editable_roles’ filter to exclude ‘community_administrator’ role from the list of role available to the ‘community_administrator’ role.

    For example:

    
add_filter('editable_roles', array($this, 'ure_exclude_comm_admin_role'));

function ure_exclude_comm_admin_role($roles) {

        if (!current_user_can('community_administrator')) {
          return $roles;
        }
        if isset($roles['community_administrator'])) {
            unset($roles['community_administrator']);
        }

        return $roles;
    }

    Could you please mention where this filter code should be placed? We are trying to do something similar by limiting an editor to not have ability to grant administrative access within WishList.

    Plugin Author Vladimir Garagulya

    (@shinephp)

    2 easy ways to add your custom filter to WordPress:
    1) put filter code into the end of the active theme functions.php file
    or
    2) put it into the .php file at wp-content/mu-plugins folder. It will install a filter as a must use plugin. Do not forget to start the file from <?php separate line.

    Thanks-
    Tried your code example modified for the Administrator role, but after applying it, it removed the ability to change roles completely for all users. I must have done something wrong in the code – I used the following:

    add_filter(‘editable_roles’, array($this, ‘ure_exclude_admin_role’));

    function ure_exclude_admin_role($roles) {

    if (!current_user_can(‘administrator’)) {
    return $roles;
    }
    if (isset($roles[‘administrator’])) {
    unset($roles[‘administrator’]);
    }

    return $roles;
    }

    Plugin Author Vladimir Garagulya

    (@shinephp)

    I gave a wrong example. Replace the 1st line with:

    
add_filter('editable_roles', ure_exclude_comm_admin_role);

    Old version raised PHP fatal error.

    Your change inside function 

    
if (!current_user_can(‘administrator’)) {
return $roles;
}

    will hide ‘administrator’ role from the user with ‘administrator’ role only, but it will show ‘administrator’ role for any other user. I think something is wrong with such logic.
    This variant is better for my opinion:

    
add_filter('editable_roles', 'ure_exclude_comm_admin_role');

function ure_exclude_comm_admin_role($roles) {

        if (!current_user_can('community_administrator')) {
          return $roles;
        }
        if isset($roles['community_administrator'])) {
           unset($roles['community_administrator']);
        }

        return $roles;
    }

    It will hide custom admin role from that custom admin role only. User Role Editor itself hides a built-in WordPress ‘administrator’ role from other users (without ‘administrator’ role with ‘edit_users’ capability.

    Thread Starter svacontact

    (@svacontact)

    Thanks. I ended up using code you posted here: Hide User Profile Fields and reversing the logic to user is “not an Admin’. Thank you for this code! I used another part of it to hide fields from Subscriber profiles but I encountered one serious issue. It seems that disabled fields are nulled out when the user saves the profile (ouch). I altered the code slightly to use the .hide() function instead of disabling. This solves the problem but the labels still show although the fields are hidden. Any suggestions?

    Thread Starter svacontact

    (@svacontact)

    Sorry just one more question on this. I forgot about ‘Add New’ for this role. I used the code below. This is your code, but I added user-new to the list of pages, and changed from disable to hide(). This works great for the normal ‘role’ dropdown, but not for the URE ‘Other Roles’ dropdown. I used view page source to find the name, but it is not working to hide the URE Other Roles dropdown(??) Any suggestions? Thanks.

    //Hide User Role Dropdown for all but Admin
    add_action(‘admin_init’, ‘user_profile_role_disable’);

    function user_profile_role_disable() {

    global $pagenow;

    // apply only to user profile or user edit pages
    //**svacontact – added user-new page
    if ($pagenow!==’profile.php’ && $pagenow!==’user-edit.php’ && $pagenow!==’user-new.php’) {
    return;
    }

    // do not change anything for the administrator
    if (current_user_can(‘administrator’)) {
    return;
    }

    add_action( ‘admin_footer’, ‘user_profile_role_disable_js’ );

    }

    /**
    * Disables selected fields in WP Admin user profile (profile.php, user-edit.php)
    */
    function user_profile_role_disable_js() {
    ?>
    <script>
    jQuery(document).ready( function($) {
    var fields_to_disable = [‘role’, ‘ure_select_other_roles’];
    for(i=0; i<fields_to_disable.length; i++) {
    if ( $(‘#’+ fields_to_disable[i]).length ) {
    $(‘#’+ fields_to_disable[i]).hide(); //attr(“disabled”, “disabled”);
    }
    }
    });
    </script>
    <?php
    }

    Plugin Author Vladimir Garagulya

    (@shinephp)

    Return false from ‘ure_show_additional_capabilities_section’ filter to hide ‘Other Roles’ section which URE adds.

    Thread Starter svacontact

    (@svacontact)

    Awesome! Worked great. Thanks.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Prevent User Role Change’ is closed to new replies.