I’ve been studying roles and capabilities and have worked with and worked up a bunch of awesome code for creating unique capabilities and roles. I have created a “Master Editor” role to maintain users with almost every capability…
However, edit_users & delete_users obviously allows for an editor to CUD users, including the existing administrators…
At the moment I’m to new at coding to be confident editing users.php but I have to be close to the solution:
if ( ! current_user_can( 'delete_users' ) )
// or is trying to delete an admin's $userids
wp_die(__('You can’t delete users.')); // or administrators
$update = 'del';
$delete_count = 0;
foreach ( $userids as $id ) {
if ( ! current_user_can( 'delete_user', $id ) )
wp_die(__( 'You can’t delete that user.' ) );
if ( $id == $current_user->ID ) {
$update = 'err_admin_del';
continue;
}
switch ( $_REQUEST['delete_option'] ) {
case 'delete':
wp_delete_user( $id );
break;
case 'reassign':
wp_delete_user( $id, $_REQUEST['reassign_user'] );
break;
}
++$delete_count;
}
I can’t figure out how to check that the $userids in question are an administrators user ID. Because if I can I could add that to the die… Am I on the right track?
Thanks in advance.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Your question seems to boil down to this
I can’t figure out how to check that the $userids in question are an
administrators user ID.
Try
user_can($id,'administrator')
http://codex.wordpress.org/Function_Reference/user_can
The Codex has a warning about using role names with the current_user_can function and it is very similar to user_can so I suppose caution is order until the conflicting instructions are sorted.
Do not pass a role name to current_user_can(), as this is not
guaranteed to work correctly.
The same page also says:
$capability
(string) (required) capability or role name
Default: None
- @param string $capability Capability or role name.
Are you hacking core file? The users.php isn’t this users.php is it? That is a high maintenance path your are going down if it is.
Method 2
Very nice write-up by @s_ha_dum. I’ll just extend his answer regarding the contradiction in the documentation.
Recently I was dealing with current_user_can, investigated a bit and came up with this function:
/**
* Function name grabbed from: http://core.trac.wordpress.org/ticket/22624
* 2 lines of code from TutPlus: http://goo.gl/X4lmf
*/
if( !function_exists( 'current_user_has_role' ) )
{
function current_user_has_role( $role )
{
$current_user = new WP_User( wp_get_current_user()->ID );
$user_roles = $current_user->roles;
$is_or_not = in_array( $role, $user_roles );
return $is_or_not;
}
}
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0