Ticket #27743: 27743.2.diff

src/wp-admin/includes/class-wp-users-list-table.php

@@ -214 +214 @@
          *                      or below the table ("bottom").
          */
         protected function extra_tablenav( $which ) {
-                if ( 'top' != $which )
-                        return;
+                $id = 'bottom' === $which ? 'new_role2' : 'new_role';
         ?>
         <div class="alignleft actions">
                 <?php if ( current_user_can( 'promote_users' ) ) : ?>
-                <label class="screen-reader-text" for="new_role"><?php _e( 'Change role to&hellip;' ) ?></label>
-                <select name="new_role" id="new_role">
+                <label class="screen-reader-text" for="<?php echo $id ?>"><?php _e( 'Change role to&hellip;' ) ?></label>
+                <select name="<?php echo $id ?>" id="<?php echo $id ?>">
                         <option value=""><?php _e( 'Change role to&hellip;' ) ?></option>
                         <?php wp_dropdown_roles(); ?>
                 </select>
@@ -250 +249 @@
          * @return string The bulk action required.
          */
         public function current_action() {
-                if ( isset($_REQUEST['changeit']) && !empty($_REQUEST['new_role']) )
+                if ( isset( $_REQUEST['changeit'] ) &&
+                        ( ! empty( $_REQUEST['new_role'] ) || ! empty( $_REQUEST['new_role2'] ) ) ) {
                         return 'promote';
+                }
 
                 return parent::current_action();
         }

src/wp-admin/users.php

@@ -95 +95 @@
         }
 
         $editable_roles = get_editable_roles();
-        if ( empty( $editable_roles[$_REQUEST['new_role']] ) )
-                wp_die(__('You can’t give users that role.'));
+        $role = false;
+        if ( isset( $_REQUEST['new_role'] ) ) {
+                $role = $_REQUEST['new_role'];
+        } elseif ( isset( $_REQUEST['new_role2'] ) ) {
+                $role = $_REQUEST['new_role2'];
+        }
 
+        if ( ! $role || empty( $editable_roles[ $role ] ) ) {
+                wp_die( __( 'You can’t give users that role.' ) );
+        }
+
         $userids = $_REQUEST['users'];
         $update = 'promote';
         foreach ( $userids as $id ) {
@@ -106 +114 @@
                 if ( ! current_user_can('promote_user', $id) )
                         wp_die(__('You can’t edit that user.'));
                 // The new role of the current user must also have the promote_users cap or be a multisite super admin
-                if ( $id == $current_user->ID && ! $wp_roles->role_objects[ $_REQUEST['new_role'] ]->has_cap('promote_users')
+                if ( $id == $current_user->ID && ! $wp_roles->role_objects[ $role ]->has_cap('promote_users')
                         && ! ( is_multisite() && is_super_admin() ) ) {
                                 $update = 'err_admin_role';
                                 continue;
@@ -122 +130 @@
                 }
 
                 $user = get_userdata( $id );
-                $user->set_role($_REQUEST['new_role']);
+                $user->set_role( $role );
         }
 
         wp_redirect(add_query_arg('update', $update, $redirect));