Make WordPress Core

Opened 4 years ago

Closed 3 years ago

Last modified 3 years ago

#18932 closed defect (bug) (fixed)

WP_User::set_role leaves user object without any caps when role does not change

Reported by: jammitch Owned by: ryan
Milestone: 3.5 Priority: normal
Severity: minor Version: 3.1
Component: Role/Capability Keywords: has-patch
Focuses: Cc:


The first thing WP_User::set_role does is clears out the user's existing caps array. Then it checks to see if the passed-in role is the user's current role, and quits the function if so. This is great if the role actually changes. If it does not, this leaves the user with the same role, but without any caps whatsoever for the remainder of the current page.

Core WordPress code may not use the function in this way, but plugins may.

Plugins calling set_role should wrap the call in the same-role check found inside the function.

Do the same-role check prior to unsetting the caps.

Attachments (1)

18932.diff (629 bytes) - added by scribu 4 years ago.

Download all attachments as: .zip

Change History (8)

#1 @jammitch
4 years ago

  • Summary changed from WP_User::set_role to WP_User::set_role leaves user object without any caps when role does not change

4 years ago

#2 @scribu
4 years ago

  • Component changed from General to Role/Capability
  • Keywords has-patch added
  • Severity changed from normal to minor


add_action( 'admin_notices', function() {
	$user = new WP_User( 2 ); // 2 being the id of a user with the 'subscriber' role

	print_r( $user->caps );

	$user->set_role( 'subscriber' );

	print_r( $user->caps );
Last edited 4 years ago by scribu (previous) (diff)

#3 follow-up: @blueyed
4 years ago

  • Version changed from 3.2.1 to 3.4

#4 in reply to: ↑ 3 @duck_
4 years ago

  • Version changed from 3.4 to 3.1

Replying to blueyed:

The version number is earliest version in which the bug is confirmed and shouldn't normally be changed on existing tickets.

This code was introduced in 3.1 for #14708.

#5 @wonderboymusic
3 years ago

  • Milestone changed from Awaiting Review to 3.5

This is small and useful

#6 @ryan
3 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In 22418:

When using WP_User::set_role() to set the role, don't unset all caps when the requested role matches the current role.

Props scribu, jammitch
fixes #18932

Note: See TracTickets for help on using tickets.