[wp-hackers] restricted 'Edit Users' capability
mark.wordpress at txfx.net
Sun Mar 4 18:02:29 GMT 2007
On Mar 3, 2007, at 10:34 AM, David M. Besonen wrote:
> does wp 2.1 restrict the 'Edit Users' capability to only allow
> for the editing of roles and capabilities of the same 'User
> Level' or lower?
> the purpose of this would be to be able to assign user
> management tasks to non-admins.
No. User levels are deprecated and are only present for backwards
compatibility reasons. A user is defined by his or her
capabilities. You cannot assume that a particular role will exist or
that it will be more capable than any other role... you have to look
One way it could be done is to give a special capability that allows
someone to edit users who lack that capability or the "edit_users"
capability. I think I've done that before, within a plugin. You
could also provide an array of caps that such users can't assign,
like edit_options. For full security, you wouldn't want them to be
able to post any unfiltered HTML or edit any PHP files, because these
could be used to escalate their capabilities.
Covered Web Services
More information about the wp-hackers