Changeset 61687 for trunk/src/wp-admin/includes/template.php

Timestamp:

02/19/2026 09:42:59 AM (3 months ago)

Author:

audrasjb

Message:

Administration: Warn when open registration and new user default is privileged.

Previously, WordPress allowed site owners to open registration AND to set the default new user level to "Administrator" or "Editor". While this combination may make sense for some sites, this is genrally a really really bad idea.

With this changeset:

• Administrator and Editor roles are now removed from the new user default role selector in the General Options admin screen.
• If such a role was selected before, an alert is shown in Site Health.
• A new filter is introduced: default_role_dropdown_excluded_roles allows developers to change the default excluded roles in the dropdown.

Props kraftbj, subrataemfluence, roytanck, dd32, ottok, jrf, eatingrules, verygoode, generosus, stevejburge, arunu1996, benniledl, audrasjb, mukesh27, swissspidy, Mte90, zodiac1978, pooja1210, davidbaumwald, johnbillion, jorbin, SirLouen, oglekler, kirasong, shailu25, huzaifaalmesbah, jsmansart.
Fixes #43936.

File:

• trunk/src/wp-admin/includes/template.php (modified) (1 diff)

trunk/src/wp-admin/includes/template.php

@@ -968 +968 @@
  *
  * @since 2.1.0
- *
- * @param string $selected Slug for the role that should be already selected.
- */
-function wp_dropdown_roles( $selected = '' ) {
+ * @since 7.0.0 Added $editable_roles parameter.
+ *
+ * @param string $selected       Slug for the role that should be already selected.
+ * @param array  $editable_roles Array of roles to include in the dropdown. Defaults to all
+ *                               roles the current user is allowed to edit.
+ */
+function wp_dropdown_roles( $selected = '', $editable_roles = null ) {
     $r = '';
 
-    $editable_roles = array_reverse( get_editable_roles() );
+    if ( null === $editable_roles ) {
+        $editable_roles = array_reverse( get_editable_roles() );
+    }
 
     foreach ( $editable_roles as $role => $details ) {