Power Up Your Users With The User Role Editor Plugin

A wise man once said, “With great power comes great responsibility.” In WordPress this comes in the form of user roles which permit different access levels to parts of a WordPress site.

The principle of least privilege in IT is a good one to follow. Only the most trusted users should have the greatest access, so that the integrity and security of a site or network of sites can be preserved.

What are the WordPress user roles?

WordPress has six built-in user roles. They are:

  1. Super Admin: multisite only; has network administration capabilities.
  2. Administrator: the top-level role for a single site; can perform all actions, except where multisite is enabled.
  3. Editor: can create, edit, publish and delete posts and pages, moderate comments and upload files.
  4. Author: can publish their own posts, and upload files.
  5. Contributor: can draft and edit their own posts.
  6. Subscriber: can log in and edit their profile only.

Roles are associated with capabilities. The more capabilities a user role has, the more actions they can perform.

Imagine a school. A janitor will have keys to access different rooms in the school. A teacher can access the staff room and classrooms but will only have keys to their own classroom. A student can visit most classrooms, but won’t have any keys at all.

In a standard WordPress install, the Administrator role has the most capabilities for a single site; for a multisite it’s the Super Admin.

The WordPress Codex has a full list of capabilities associated with user roles.

For example, Contributors have the following capabilities:

  • edit_posts: create and edit (but not publish) their own posts
  • delete_posts: delete their own posts
  • read: access and edit their own profile

Plugins and user roles

Custom user roles can be created by plugins. For example, WooCommerce adds two more roles:

  • Shop Manager: shop management capabilities (can view/change all options in the WooCommerce and Products menus). This equates to WordPress’ Editor role.
  • Customer: can view orders, order history and view/edit their account.

An Administrator or Super Admin can add a new user and assign the Shop Manager role. A Customer role is created when someone registers to buy on an online shop.

WooCommerce roles are added to WordPress' dropdown list of roles
WooCommerce roles are added to WordPress’ dropdown list of roles

bbPress adds another five roles. In order of privilege, from most to least, they are:

  1. Keymaster
  2. Moderator
  3. Participant
  4. Spectator
  5. Blocked

Unlike WooCommerce roles, bbPress roles are separate from the WordPress user role system and do not show in the standard dropdown list of roles.

Individual users gain the Participant role by participating in a forum. Admins can also assign a user a forum role by editing their profile.

Custom user roles

Most of the time the pre-defined user roles will be adequate, but there are a few cases where you might need a more bespoke implementation. Going back to the school analogy, there might be a head janitor who owns keys for certain rooms that the other janitors don’t have.

That’s where the User Role Editor plugin comes in. It allows more fine-grained control over role capabilities. You can power up your users, but keep them in check.

With User Role Editor you can:

  1. Add your own roles and set their capabilities
  2. Rename roles
  3. Add capabilities to roles
  4. Delete roles
  5. Create your own capabilities

You can also change roles and capabilities for individual users.

You may be pleased to know that User Role Editor is GDPR compliant.

A quick tour round User Role Editor

Plugin settings are at Settings > User Role Editor, where you can tweak a few settings and also reset all the roles to their defaults. There’s a big warning that you’ll lose any changes you made with a reset.

Go to Users > User Role Editor to edit roles.

Show capabilities in human readable form makes the capabilities a little clearer to read.

Granted shows only capabilities that a role has already.

The Quick filter is handy if you know a capability name you want to change but can’t spot it in the list. It highlights the name in green.

User Role Editor showing Editors' granted capabilities, human readable form
User Role Editor showing Editors’ granted capabilities, human readable form

Switching user roles when testing modifications

You will find the User Switching plugin a time-saver. It allows you to change from one user to another with one click. This saves you the bother of logging out and in again as the new user.

The one role I found problematic using this method was the Subscriber role. There was no admin bar shown on my install for a subscriber, so I had no easy way to switch back to an administrator without logging out and logging back in.

Make sure you test out fully any capability changes: you don’t want your users being able to access something unexpected!

Sorry, you are not allowed to access this page
Sorry, you are not allowed to access this page

Changing default role capabilities

Contributors: uploading media

On a multi-author blog such as the WPMU DEV blog, posts are sent for moderation before publishing. The natural role to fit is the Contributor role, but this role doesn’t let writers upload images (a fairly essential task!)

Contributors’ view of the post editor: the Add Media button is absent

The capability to add is upload_files, which is within the General Core section.

The upload_files box should be checked

This allows the user to add media to posts. Users may see other buttons next to Add Media – it depends on what plugins you have installed.

Contributors who can upload media can see and use all files in the Media Library, unlike posts, where they can only view their own.

A Contributor who can upload files can use the Add Media button to add images
A Contributor who can upload files can use the Add Media button to add images

Editors: managing widgets and menus

Editors can’t access any options in the Appearance menu, which means that they can’t administer widgets or menus. There are times when this would be useful.

The simplest option is to change the capabilities of the Editor role. The relevant capability within the Themes group – edit_theme_options.

This gives the capability to see most of the options in the Appearance submenu.

A modified Editor can't switch the theme but can customize it
A modified Editor can’t switch the theme but can customize it

While the user can’t switch the theme, or edit the PHP code, they can customize it and make other changes. The issue is that the edit_theme_options capability combines a few different permissions. Is there anything we can do about this?

One possibility is to remove the menu items and options we don’t need our Editors to have. For the Storefront theme, we need two functions to do it, which we can add to a child theme.

This is the result:

A custom Editor role viewing only Widgets and Menus in the Appearance section
A custom Editor role viewing only Widgets and Menus in the Appearance section

Note that this is not completely foolproof. The menu options won’t be shown but the pages still exist. A canny Editor could still see them and get up to mischief by typing in the URLs direct.

Editors: viewing and editing users

Only Administrators or Super Admins can see the Users menu. Imagine a large multi-user site running BuddyPress or bbPress. There will be a large number of users, but few admins to manage them.

To get around this, you can add two capabilities for Editors: list_users and edit_users.

This allows your Editors to see the list of users, edit their profiles and change their role. An Editor cannot promote a user above Editor level.

If you’re using User Switching, your Editor also has the Switch To option, but he/she won’t be able to switch to an Administrator or Super Admin account.

The Administrator role is missing from this custom Editor’s Users view
The Administrator role is missing from this custom Editor’s Users view

The Administrator role is missing from this Editor’s Users view

If you really trust your Editors, you can grant the delete_users permission as well.

 

Creating a custom role: WooCommerce Shop assistant

To create a new role, you can start with a blank slate, or by copying an existing role. Let’s say we’d like a Shop assistant who can view products plus add, edit and publish their own products. But we don’t want this role to edit or delete existing products.

Add new Shop assistant role

I’ve started with a Contributor role and added the following WooCommerce capabilities:

  • assign_product_terms: to assign a category or a tag to a product
  • delete_product: to delete a single product they’ve created
  • delete_products: to bulk delete their own products
  • delete_published_products: to delete their own published products
  • edit_product: to create and edit their own products
  • edit_product_terms: to change category or tag on their own products
  • edit_products: to bulk edit their own products
  • edit_published_products: to edit their own published products
  • publish_products: can publish their own products
  • read_product: can view products

The Shop assistant can also import a CSV of products.

This custom role also has the following WordPress capabilities:

  • edit_posts
  • read
  • upload_files
  • view
The Shop assistant can add and edit their products, publish them, add product images and categories or tags
The Shop assistant can add and edit their products, publish them, add product images and categories or tags
The Shop assistant only view other people’s products, not edit them
The Shop assistant only view other people’s products, not edit them

Custom bbPress roles

As mentioned earlier, bbPress roles don’t show up with the other roles.

Vladimir Garagulia, author of User Role Editor, writes about bbPress:

bbPress does not store its role at the database as WordPress does. bbPress creates its role on a fly via PHP code for every page load. bbPress roles are not supported by a free version of User Role Editor for this reason. URE excludes them from the processing by design. Full support for bbPress roles, including editing is realized at Pro version of User Role Editor.

Renaming roles

Renaming is only an option for roles you have made, and you can only change the role name, not the role ID.

Deleting roles

You can only delete roles that you’ve created, and only if no users are assigned that role. You must remove all users from a role first in order to delete it.

Changing individual user capabilities

You can get even more granular by editing individual users and their capabilities. Simply go to the user profile and click on the Edit link next to Capabilities. You can then add to or take away their powers!

Changing capabilities of a single user
Changing capabilities of a single user

Adding and deleting capabilities

If you’re a plugin developer you might want to add your own capabilities. You can read more about creating capabilities in the Codex.

Capabilities can also be taken away e.g. ones from old plugins. Don’t use this option unless you know what you’re doing. Note that WordPress capabilities can’t be deleted.

Summing up

User Role Editor provides a simple UI to change your users’ abilities. Before changing or adding roles, though, make sure that:

  • there’s a good use case for doing so
  • you test your changes on a staging site before going live
  • you’ve tried out the new role thoroughly – you don’t want your superhero users to become supervillains!
Claire Brotherton
Have you modified the default user roles? Share your tips in the comments.