[wp-hackers] restricted 'Edit Users' capability

Mark Jaquith mark.wordpress at txfx.net
Sun Mar 4 18:02:29 GMT 2007

On Mar 3, 2007, at 10:34 AM, David M. Besonen wrote:

> does wp 2.1 restrict the 'Edit Users' capability to only allow
> for the editing of roles and capabilities of the same 'User
> Level' or lower?
> the purpose of this would be to be able to assign user
> management tasks to non-admins.

No.  User levels are deprecated and are only present for backwards  
compatibility reasons.  A user is defined by his or her  
capabilities.  You cannot assume that a particular role will exist or  
that it will be more capable than any other role... you have to look  
at capabilities.

One way it could be done is to give a special capability that allows  
someone to edit users who lack that capability or the "edit_users"  
capability.  I think I've done that before, within a plugin.  You  
could also provide an array of caps that such users can't assign,  
like edit_options.  For full security, you wouldn't want them to be  
able to post any unfiltered HTML or edit any PHP files, because these  
could be used to escalate their capabilities.

Mark Jaquith

Covered Web Services

More information about the wp-hackers mailing list