[wp-trac] Re: [WordPress Trac] #2775: Ability for all users to add
users of lesser cabable roles
WordPress Trac
wp-trac at lists.automattic.com
Sat Jun 3 01:29:49 GMT 2006
#2775: Ability for all users to add users of lesser cabable roles
----------------------------+-----------------------------------------------
Id: 2775 | Status: new
Component: Administration | Modified: Sat Jun 3 01:29:49 2006
Severity: enhancement | Milestone:
Priority: normal | Version: 2.1
Owner: anonymous | Reporter: doit-cu
----------------------------+-----------------------------------------------
Comment (by doit-cu):
I guess I was thinking more along the lines that a user should not be able
to edit a user who has a capability that the editing user does not have.
So, for instance, if role foo has capabilities biz and baz, and role bar
has capabilities biz, baz, and bam, foo should not be able to edit bar,
but bar should be able to edit foo. The reasoning in my mind is that bar
is more trusted in the system, having the ability to "bam." Also, if gaz
has capability qux, and zxc has the capability asd, neither should be able
to edit the other.
The real point of what I'm trying for in my instance is not really editing
though, but the ability to create users with a subset (defined as a role)
of capabilities. Now this ability can be added in to the wordpress code
base without changing the default functionality- as far as I know, only
administrator has the edit_users capability out of the gate. I guess it
seems to me that user management should be a bit more granular than an
on/off switch.
I agree that there should not be a hierarchy set up between roles, and I
can understand that this might not be desireable default behavior. What
this would do though is make the application more amenable to Plugins and
other "aftermarket" modifications. I believe it will make the application
more customizable, rather than simply being a customization in and of
itself.
I have the code all written up, I just need to drop in some cleaner UI
errors as opposed to simply die(). I'll upload a diff later this weekend
and see what you all think... this seems to be a difficult one for me to
get my choice of words correct on.
Barring that, I think the cleanest way to provide a plugin with this
ability would be to allow redefinition of the current_user_can function.
users.php and user-edit.php would need to pass in a WP_User object or an
array of said objects by reference (so that you can clean out the denied
users while maintaining the allowed users) into current_user_can in order
for that to be of any real use. I still see a problem here, because if
someone has edit_user and activate_plugins, they could turn off the
filtering plugin and be able to edit and users again. The protection
should, in my opinion, really be a part of the application.
Finally, thank you both for your time on this.
--
Ticket URL: <http://trac.wordpress.org/ticket/2775>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list