WP_User::set_role leaves user object without any caps when role does not change
|Reported by:||jammitch||Owned by:||ryan|
The first thing WP_User::set_role does is clears out the user's existing caps array. Then it checks to see if the passed-in role is the user's current role, and quits the function if so. This is great if the role actually changes. If it does not, this leaves the user with the same role, but without any caps whatsoever for the remainder of the current page.
Core WordPress code may not use the function in this way, but plugins may.
Plugins calling set_role should wrap the call in the same-role check found inside the function.
Do the same-role check prior to unsetting the caps.
Change History (8)
- Summary changed from WP_User::set_role to WP_User::set_role leaves user object without any caps when role does not change
- Component changed from General to Role/Capability
- Keywords has-patch added
- Severity changed from normal to minor