bonny
Feature suggestion: log changes to roles and capabilities
I recently switched to Simple History from another logging plugin, and am incredibly happy with it; thank you for creating this plugin. One thing I realized while working on a new site is that there are no records in WordPress of user roles being created or deleted, or of capabilities being added or removed from a role. Whatever is in the wp_user_roles option in the database will persist indefinitely. Thus it's possible for someone or something to mistakenly or maliciously tamper with user capabilities, and an admin would never know.
I'd love it if Simple History started tracking these changes to make them visible to administrators. Changes during plugin activation/deactivation could probably be rolled up into that event, but otherwise a fairly high alert level would be merited, I think.
That's a pretty interesting idea. 🤔 Do you have any plugin examples that modify roles and that the plugin with this feature would have created a log entry for?
A couple come to mind that add their own administrator capabilities:
- Download Monitor adds several capabilities on installation: https://plugins.trac.wordpress.org/browser/download-monitor/trunk/src/Installer.php#L72
- Satispress does the same: https://github.com/cedaro/satispress/blob/develop/src/Capabilities.php
- Yoast registers different ones for admins and editors: https://developer.yoast.com/customization/yoast-seo/filters/capability-roles-filter/
The bigger risk is probably from users modifying things after the fact, though. Plugins with custom roles often have some support documentation showing how to add their capabilities to another role, sometimes by editing functions.php (Admin Columns example) or using a dedicated role-editing plugin (Download Monitor example). For sites with multiple administrators it would be great to know when someone does this (especially if a non-admin role is changed that admins might not be seeing personally).
I've also been stung before by a role reset. WP CLI has a wp role reset command that restores the default capabilities and wipes out any changes plugins may have made – which is arguably more destructive!
Hi, it would be so great, because editor can set "administrator" role ( it is so bad ). WP does not have some hiearchy for roles. With "Members" plugin you can override this missing feature. https://wordpress.org/plugins/members/ "Role Hierarchy: Creates a hierarchical roles system."
Changing role can be capture by https://developer.wordpress.org/reference/classes/wp_user/set_role/
do_action( 'set_user_role', $this->ID, $role, $old_roles );
Thanks for the feedback! I've added this to my todo list.
A quick question @1ucay: You said
because editor can set "administrator" role ( it is so bad )" where and how is this possible? I checked user admin screens as an editor but could not see that.
If you add cap "promote_users" https://wordpress.stackexchange.com/questions/240557/does-the-promote-users-capability-allow-someone-to-create-a-new-admin-account
If you have multiple roles in WP => admin, chief editor, editor, co-editors, users (without read cap) WP basically cannot do this for the chief editor to assign lower rights than he himself has.
Btw I like old version of Members => https://plugins.svn.wordpress.org/members/tags/2.2.0/ The original author sold the rights for plugin and, as is often the case, the new one added advertising to the plugin.