delete_users
capability. Is it enough? No. In order to delete user, you need to select it from user list. Thus, you should have some other user capability. Yes, it is 'list_users'
capability. Without such capability you can not access your blog users list (“Users->All Users” menu item) under single-site WordPress installation and can not apply “Delete” command to selected user. Continue reading to see more detailed description and (if you curious enough) look inside WordPress core source code to know where and how WordPress implements ‘delete_users’ security permission.What feature in WordPress administrator interface depends from ‘delete_users’ capability? It is ‘Delete’ link under user name and ‘Delete’ menu item in the “Bulk Actions” menu.
For single site WordPress installation:
For multi-site WordPress installation:
If user has ‘delete_users’ capability he can see and use this action links, otherwise he can not.
‘delete_users’ user capability is located in these WordPress core files:
– wp-admin\users.php;
– wp-admin\network\users.php;
– wp-admin\includes\class-wp-ms-users-list-table.php;
– wp-admin\includes\class-wp-users-list-table.php;
– wp-includes\capabilities.php;
– wp-admin\includes\schema.php;
wp-admin\users.php
All Users list for single site WordPress: users deletion command is executed after checking if you have delete_users
capability only.
123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 | case 'dodelete': if ( is_multisite() ) wp_die( __('User deletion is not allowed from this screen.') ); check_admin_referer('delete-users'); if ( empty($_REQUEST['users']) ) { wp_redirect($redirect); exit(); } if ( ! current_user_can( 'delete_users' ) ) wp_die(__('You can’t delete users.')); $userids = $_REQUEST['users']; $update = 'del'; $delete_count = 0; foreach ( (array) $userids as $id) { $id = (int) $id; |
170 171 172 173 174 175 176 177 178 179 180 181 182 | case 'delete': if ( is_multisite() ) wp_die( __('User deletion is not allowed from this screen.') ); check_admin_referer('bulk-users'); if ( empty($_REQUEST['users']) && empty($_REQUEST['user']) ) { wp_redirect($redirect); exit(); } if ( ! current_user_can( 'delete_users' ) ) $errors = new WP_Error( 'edit_users', __( 'You can’t delete users.' ) ); |
wp-admin\network\users.php
Multisite or Network users administration panel. It is other place, where code, that deletes users, lives. WordPress checks, if you have permission to delete users or not again:
127 128 129 130 131 132 | foreach ( (array) $_POST['allusers'] as $key => $val ) { if ( !empty( $val ) ) { switch ( $doaction ) { case 'delete': if ( ! current_user_can( 'delete_users' ) ) wp_die( __( 'You do not have permission to access this page.' ) ); |
wp-admin\includes\class-wp-ms-users-list-table.php
For WordPress multisite environment: Decision to show/hide ‘Delete’ bulk action in the drop-down menu is taken here:
class WP_MS_Users_List_Table function get_bulk_actions()
72 73 74 75 76 77 78 79 80 | function get_bulk_actions() { $actions = array(); if ( current_user_can( 'delete_users' ) ) $actions['delete'] = __( 'Delete' ); $actions['spam'] = _x( 'Mark as Spam', 'user' ); $actions['notspam'] = _x( 'Not Spam', 'user' ); return $actions; } |
wp-admin\includes\class-wp-users-list-table.php
Single site WordPress configuration: user delete action link is configured here:
class WP_Users_List_Table, function display_rows()
120 121 122 123 124 125 126 127 128 129 130 131 | function get_bulk_actions() { $actions = array(); if ( is_multisite() ) { if ( current_user_can( 'remove_users' ) ) $actions['remove'] = __( 'Remove' ); } else { if ( current_user_can( 'delete_users' ) ) $actions['delete'] = __( 'Delete' ); } return $actions; } |
wp-includes\capabilities.php
Function map_meta_cap(), which maps meta capabilities to primitive capabilities. This does not actually compare whether the user ID has the actual capability, just what the capability or capabilities are.
1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 | case 'delete_users': // If multisite these caps are allowed only for super admins. if ( is_multisite() && !is_super_admin( $user_id ) ) { $caps[] = 'do_not_allow'; } else { if ( 'delete_user' == $cap ) $cap = 'delete_users'; $caps[] = $cap; } break; |
Function is_super_admin
determines if user is a site administrator. And for single site WordPress you need to have ‘delete_users’ capability for that.
1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 | function is_super_admin( $user_id = false ) { if ( $user_id ) $user = new WP_User( $user_id ); else $user = wp_get_current_user(); if ( empty( $user->ID ) ) return false; if ( is_multisite() ) { $super_admins = get_super_admins(); if ( is_array( $super_admins ) && in_array( $user->user_login, $super_admins ) ) return true; } else { if ( $user->has_cap('delete_users') ) return true; } return false; } |
wp-admin\includes\schema.php
delete_users
capability was added since WordPress version 2.1.0. Look at function populate_roles_210()
:
684 685 686 687 688 | $role =& get_role('administrator'); if ( ! empty($role) ) { $role->add_cap('delete_users'); $role->add_cap('create_users'); } |
Tags: capability, user capability, WordPress