It’s actually pretty easy. You need to filter into map_meta_caps and stop editors from creating/editing admins, and remove the administrator role from the ‘editable roles’ array. This class, as a plugin or in your theme’s functions.php file would do it:
class JPB_User_Caps {
// Add our filters
function __construct(){
add_filter( 'editable_roles', array($this, 'editable_roles'));
add_filter( 'map_meta_cap', array($this, 'map_meta_cap'), 10, 4);
}
// Remove 'Administrator' from the list of roles if the current user is not an admin
function editable_roles( $roles ){
if( isset( $roles['administrator'] ) && !current_user_can('administrator') ){
unset( $roles['administrator']);
}
return $roles;
}
// If someone is trying to edit or delete and admin and that user isn't an admin, don't allow it
function map_meta_cap( $caps, $cap, $user_id, $args ){
switch( $cap ){
case 'edit_user':
case 'remove_user':
case 'promote_user':
if( isset($args[0]) && $args[0] == $user_id )
break;
elseif( !isset($args[0]) )
$caps[] = 'do_not_allow';
$other = new WP_User( absint($args[0]) );
if( $other->has_cap( 'administrator' ) ){
if(!current_user_can('administrator')){
$caps[] = 'do_not_allow';
}
}
break;
case 'delete_user':
case 'delete_users':
if( !isset($args[0]) )
break;
$other = new WP_User( absint($args[0]) );
if( $other->has_cap( 'administrator' ) ){
if(!current_user_can('administrator')){
$caps[] = 'do_not_allow';
}
}
break;
default:
break;
}
return $caps;
}
}
$jpb_user_caps = new JPB_User_Caps();
EDIT
Ok, so I took a look into why it was letting user deletion slip through. It looks like delete_user is handled slightly differently from edit_user; I’ve modified the map_meta_cap method to work around this. I’ve tested on 3.0.3 and this will prevent anybody but administrators from actually deleting, editing, or creating an administrator.
EDIT 2
I updated the code to reflect @bugnumber9 ‘s answer below. Please go give that answer an upvote!