WordPress.org

Make WordPress Core

Ticket #12387: 12387.diff

File 12387.diff, 862 bytes (added by dd32, 6 years ago)
  • wp-admin/includes/user.php

     
    7676 
    7777        if ( isset( $_POST['role'] ) && current_user_can( 'edit_users' ) ) { 
    7878                $new_role = sanitize_text_field( $_POST['role'] ); 
     79                $potential_role = isset($wp_roles->role_objects[$new_role]) ? $wp_roles->role_objects[$new_role] : false; 
    7980                // Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 
    80                 if( $user_id != $current_user->id || $wp_roles->role_objects[$new_role]->has_cap( 'edit_users' )) 
     81                if ( $user_id != $current_user->id || ($potential_role && $potential_role->has_cap( 'edit_users' ) ) ) 
    8182                        $user->role = $new_role; 
    8283 
    8384                // If the new role isn't editable by the logged-in user die with error