User Role Editor

Why it could be necessary? Let’s suppose you wish that your multi-authored blog contributors upload their own graphics to use in their posts. WordPress “contributor” role has no such capability by default. In such situation you have needed to change user role capabilities manually using SQL client as I described at “How to change wordpress user role capabilities” post, if you have enough knowledge in that field. But what to do if you have not?

Good news – This task is simple now, just use this plugin

User Role Editor

The latest version: 3.14. Quant of downloads: 629892

Take a look at the “User Role Editor” plugin main form screenshot:

• Select a role you wish to change from the drop down list at the top. Page will be refreshed automatically and show you the capabilities list for the selected role. Make your corrections, check/uncheck correspondent check boxes and click “Update” button to save your changes. If you wish to apply this change for all sites of your multi-site WordPress network, turn on “Apply to All Sites” check box at the top of the form before press “Update”.
• If you prefer to see capabilities names in form e.g. ‘Edit pages’ instead of WordPress ‘edit_pages’ standard form turn on the “Show capabilities in human readable form” checkbox at the right top corner of the main form. Move mouse over capability name and you will see its alternative form name.
• According to WordPress Codex User Levels were introduced in WordPress 1.5, they were replaced by Roles and Capabilities in WordPress 2.0, and were finaly deprecated in WordPress 3.0. Thus you can hide them in order they do not mess you in your work with roles. Keep “Show deprecated capabilities” check box at the to right corner of the form unchecked for that. If for any reason you need to see user levels, turn on that check box.
• If you don’t wish to save changes you can click “Cancel” button.
• If you are needed to restore roles capabilities you have before your or installed plugins made 1st modification to them, use “Reset” button. “User Role Editor” will restore roles and capabilities to its clean state. You will get roles stuff just after WordPress installation. Be very careful with this operation as you will definitely lose any changes you or your plugins made to user roles from the time of fresh WordPress installation. Consider to make backup copy of your database before proceed with “Reset” operation.

In order to add/remove your custom role, change default role for new user, add/remove custom user capability use “User Role Editor” management boxes, look on screenshot below:

• If you need your own custom role, create it with “Add New Role” feature. Input new role name into input text field at “Add New Role” box, select existing role from drop-down list if you wish to use its capabilities as starting point for further work and click “Add” button. Remember that you can use latin letters, digits and an “_” underscore sign in your role names. Subscriber role is copied by default if you don’t select such role yourself.
• Unnecessary self-made role can be deleted with “Delete Role” box. Select role and click “Delete” button for it. Only your self-made roles appears in the role list to delete. If some of your own roles is assigne to the user or selected as default role for new users it will not be appeared in the list for deletion.
• Select the role which you wish to use as default for any new created user from the list at “Default Role for New User” box. Click “Change” button to save your changes.
• Use “Add New Capability” box in order to add new user capability. Remember you can use only latin alphabet letters, digits and underscore sign in the capability name. How to use new added user capability? Turn it on in the role you select and check if current user has such capability in your plugin or active theme functions.php file. For example,

  if (!current_user_can('some_capability_you_added')) { echo "You don't have permission for it!"; return; }

• If you need delete custom capability added by you or some of your old plugins, which you don’t use anymore use “Delete Capability” box. “User Role Editor” doesn’t allow to delete built-in WordPress capabilities.

With help of “User Role Editor” you can assign additional capabilities directly to the users. Open users list by click on the “All Users” link at the “Users” submenu. Find needed user, move mouse pointer to his name and click “Capabilities” link as on screenshot below:

At the form opened you can assign to user another role and/or add to him capabilities which not included to his role:

Change User Capabilities

For more information about WordPress user roles please read these articles
- WordPress Admin Menu Permissions;
- WordPress user capabilities;
- activate_plugins WordPress user capability;
- edit_dashboard WordPress user capability;
- Delete posts and pages WordPress user capabilities set;
- delete_plugins WordPress user capability;
- moderate_comments WordPress user capability;
- Roles and Capabilities article at codex.wordpress.org;

If you can not find answer for some question yourself, consider to subscribe for one year Premium support and get your answer in guaranteed 24 hours. Pay $15 only and priority in conversations about WordPress user permissions, roles and capabilities related problems, other plugins menu access, etc. will be yours for the whole year.

Translations

• Dutch: Frank Groeneveld
• French: Presse et Multimedia, Whiler
• German: Peter
• Hebrew: Aryo Digital
• Hindi: Outshine Solutions
• Italian: Tristano Ajmone, Umberto Sartori
• Lithuanian: Vincent G
• Persian: Parsa, Good Life, Amir Khalilnejad
• Polish: TagSite, Bartosz
• Russian: ShinePHP
• Spanish: Victor Ricardo Díaz, Dario Ferrer;
• Swedish: Christer Dahlbacka, Andréas Lundgren.
• Turkish: Muhammed YILDIRIM

Русская версия этой статьи доступна по адресу ru.shinephp.com

Dear plugin User,
if you wish to help me with this plugin translation I very appreciate it. Please contact me via Contact form and I will answer you by email. Do not forget include your site link in order I can show it with greetings for the translation help at shinephp.com, plugin settings page and in this readme.txt file. If you have better translation for some phrases send it to me. You are welcome!
Former translators! Please check your translations and provide the updated files corresponding to the current version of URE plugin.

Special Thanks to

• Lorenzo Nicoletti – for the code enhancement suggestion CUSTOM_USER_META_TABLE constant is used now for more compatibility with core WordPress API.
• Marcin – For the code enhancement. This contribution allows to not lose new custom capability if it is added to other than ‘Administrator’ role.
• FullThrottle – for the code to hide administrator role at admin backend.

You are welcome! Help me with bugs catching, share with me new ideas about plugin further development and link to your site will appear above.

Recent donations for this plugin developement

• Bart
• Greg Zilberfarb
• BMW Club Norway
• To The Nines Web Agency
• Miami
• quintain
• PriMoThemes.com / WebSharks, Inc.
• Eastwood

Change Log

3.14

• 17.05.2013
• Interface update: role/capability add/remove stuff was removed from the page. Plugin has toolbar at the right side now. Click on the button opens needed dialog window.
• New role may have different attrubutes "ID" and "Name". While ID is still restricted by latin characters hyphen, underscore and digits only, Name could contain spaces and national languages characters.
• General code cleanup and security enhancements: all data changes request are processed via POST instead of GET now. So its more difficult to send modified malicious request without special software. Presence of special nonce field is checked for all requests.
• Setting up the 'administrator' role as default one for new registered users is prohibited at server side.

• JavaScript code separated from PHP one whenever it's possible.

• 14.05.2013

• Update for administrators of multi-site WordPress installations. Single-site WordPress installation administrator could skip this update.
• "Apply to All Sites" feature did not work at version 3.12. It is fixed.
• "Apply to All Sites" feature is available now from main site of the network only

3.12

• 01.05.2013
• Critical update: persistent cross-site scripting vulnerability is fixed.
• WordPress built-in constants, like WP_PLUGIN_URL are not used in order to provide compatibility with sites which use SSL. plugin_dir_url(), plugin_dir_path() functions are used to define paths to the plugin's files instead.
• "Greetings" section is removed from the plugin's main page. All that content is still available at plugin page

3.11

• 24.03.2013
• Required WordPress version checking is moved to plugin activation hook.
• Administrator can now exclude non-core (custom) capabilities from his role. It is useful if you need to fully remove some capability as capability deletion is prohibited while it is used at least one role.
• bbPress compatibility issue is fixed: capabilities created by bbPress dinamically are excluded from the capabilities set in User Role Editor to not store them in the database as persistent WP roles data.
• Additional roles are assigned to user without overriding her primary WordPress role and bbPress role.
• Changing Wordpress user primary role at user profile doesn't clear additonal roles assigned with User Role Editor earlier.
• Brasilian Portuguese translation is updated.

3.10

• 04.02.2013
• You can assign to user multiple roles simultaneously. Use user level roles and capabilities editor for that. You can click 'Capabilities' link under selected user row at users list or 'Assign Roles and Additional Capabilities' link at user profile.
• Critical bug fix: hidden deprecated WordPress core capabilities had turned on after any update made to the role. Deprecated capabilities are not currently in use by WordPress itself. But old plugins or themes could still use them. If you use some outdated code I recommend you to check all roles, you modified with User Role Editor, and turn off unneeded deprecated capabilities there.
• User with Administrator role is secured better from editing, deletion by user with lower capabilities.

3.9

• 07.01.2013
• Compatibility with bbPress 2.2 new user roles model is provided. More details about the reason of such update at http://shinephp.com/bbpress-user-role-editor-conflict-fix/
• "Reset" button works differently now. It restores WordPress roles data to its 1st, default state, exactly that, what WordPress has just after fresh install/latest version update. Be careful with it, make database backup copy before fulfill this operation. Some plugin could require reactivation to function properly after roles reset.
• Arabic translation is added. Thanks to Yaser
• Slovak translation is added. Thanks to Branco

3.8.3

• 14.12.2012
• Compatibility issue with WordPress 3.5 was found (thanks to Sonja) and fixed: $wpdb->prepare() was called without 2nd $args parameter - removed.

3.8.2

• 02.12.2012
• load_plugin_textdomain() call moved to the 'plugins_loaded' hook for higher compatibility with translation plugins.
• Traditional Chinese translation is added. Thanks to Jingxin Lai.

3.8.1

• 21.10.2012
• Fix: URE taked roles names from the database directly and ignored changes made to roles names on the fly by other plugins or themes, names, which were cached by WordPress internally, but were not written to the database. URE uses WordPress internal cache now.
• Roles names translation update: if URE translation file doesn't exist for blog default language, URE uses WordPress internal translation now.
• Serbian translation is added. Thanks to Diana.

3.8

• 01.09.2012
• Bug fix: Some times URE didn't show real changes it made to the database. The reason was that direct update of database did not invalidate data stored at WordPress cache. Special thanks to Knut Sparhell for the help to detect this critical issue.
• WordPress core capabilities are shown separately from capabilities added by plugins and manually.
• If you configured URE to show you 'Administrator' role, you will see its capabilities, but you can not exclude any capability from it. I may just add capabilities to the Administrator role now. The reason - Administrator role should have all existing capabilities included.
• Brasilian Portuguese translation is updated. Thanks to Onbiz.

Click here to look at the rest part of User Role Editor changelog.

FAQ

- Does it work in multi-site environment?
Yes, it works with multi-site installation. By default plugin works for every blog from your multi-site network as for locally installed blog without multi-site feature.

URE Multi-site feature

- How to duplicate my custom created roles from main blog of my multi-site network to new created one?
“User Role Editor” makes it for you automatically. As new blog added to your network, “User Role Editor” copies full roles staff from your main blog to the new created one.

- Why administrators of single site of multi-site network do not see “User Role Editor” under “Users” menu?
URE is disabled for single site administrator by default. If you wish to enable it for single site adminitstrator add this line of code into your blog wp-config.php file

define('URE_ENABLE_SIMPLE_ADMIN_FOR_MULTISITE', 1);

- I have large multi-site network. After click “Update” button with “Save to all sites” checkbox turned on nothing is happened. I got the blank page.
It is PHP script execution time limit problem. Other network update method is available as alternative from version 3.5. Due to my tests it works approximately 30 times faster. Try it. It will be great, if you share your experience with me. In order to select alternative method of all sites update add this line to you blog wp-config.php file

define('URE_MULTISITE_DIRECT_UPDATE', 1);

It does nothing automatically, just select other algorithm when you press “Update” with “Apply to All Sites” checkbox turned on next time.
If you define WP_DEBUG equal to 1 or true constant in wp-config.php file, URE with this directive shows update execution time in milliseconds as additional technical information.

- How to edit “Administrator” role? I don’t see it in the roles drop down list.
“Administrator” role is hidden from the roles drop down list by default.
You can see/edit “Administrator” role starting from version 3.4. Insert this line of code

  define('URE_SHOW_ADMIN_ROLE', 1);

into your wp-config.php file and login with administrator account for that.
If for any reason your “Administrator” role missed some capabilities added by plugins or themes, you can fix that now. But be careful with changing “Administrator” role, do not turn off accidentally some critical capabilities to not block your admin users.

- Does it work with WordPress versions prior 3.0?
Starting from version 2.2 plugin works with WordPress 3.0 and higher only. For earlier WordPress versions use plugin version 2.1.10

I am ready to answer on your questions about this plugin usage and help with possible problems. Use User Role Editor plugin forum or this page comments and site contact form for that please.

Thanks,
Vladimir ShinePHP.com

Tags: capability, Security, User Role, WordPress, wordpress plugin

This entry was posted on Saturday, March 20th, 2010 at 10:09 and is filed under Security, ShinePHP WordPress Plugins, WordPress, WordPress Capabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.