[wp-hackers] restricted 'Edit Users' capability
Mark Jaquith
mark.wordpress at txfx.net
Sun Mar 4 18:02:29 GMT 2007
On Mar 3, 2007, at 10:34 AM, David M. Besonen wrote:
> does wp 2.1 restrict the 'Edit Users' capability to only allow
> for the editing of roles and capabilities of the same 'User
> Level' or lower?
>
> the purpose of this would be to be able to assign user
> management tasks to non-admins.
No. User levels are deprecated and are only present for backwards
compatibility reasons. A user is defined by his or her
capabilities. You cannot assume that a particular role will exist or
that it will be more capable than any other role... you have to look
at capabilities.
One way it could be done is to give a special capability that allows
someone to edit users who lack that capability or the "edit_users"
capability. I think I've done that before, within a plugin. You
could also provide an array of caps that such users can't assign,
like edit_options. For full security, you wouldn't want them to be
able to post any unfiltered HTML or edit any PHP files, because these
could be used to escalate their capabilities.
--
Mark Jaquith
http://markjaquith.com/
Covered Web Services
http://coveredwebservices.com/
More information about the wp-hackers
mailing list