Ticket #38577: 38577.diff

src/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

@@ -1007 +1007 @@
                                         'description' => __( 'Roles assigned to the resource.' ),
                                         'type'        => 'array',
                                         'context'     => array( 'edit' ),
+                                        'arg_options' => array(
+                                                'sanitize_callback' => 'wp_parse_slug_list',
+                                        ),
                                 ),
                                 'password'        => array(
                                         'description' => __( 'Password for the resource (never included).' ),

tests/phpunit/tests/rest-api/rest-users-controller.php

@@ -907 +907 @@
                 $this->assertArrayNotHasKey( 'administrator', $user->caps );
         }
 
+        public function test_update_user_multiple_roles() {
+                $user_id = $this->factory->user->create( array( 'role' => 'administrator' ) );
+
+                wp_set_current_user( self::$user );
+                $this->allow_user_to_manage_multisite();
+
+                $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/users/%d', $user_id ) );
+                $request->set_param( 'roles', 'author,editor' );
+                $response = $this->server->dispatch( $request );
+
+                $new_data = $response->get_data();
+
+                $this->assertEquals( array( 'author', 'editor' ), $new_data['roles'] );
+
+                $user = get_userdata( $user_id );
+                $this->assertArrayHasKey( 'author', $user->caps );
+                $this->assertArrayHasKey( 'editor', $user->caps );
+                $this->assertArrayNotHasKey( 'administrator', $user->caps );
+        }
+
         public function test_update_user_role_invalid_privilege_escalation() {
                 wp_set_current_user( self::$editor );