Opened 5 years ago
Last modified 3 years ago
#43251 new defect (bug)
editable_roles filter doesn't exclude role on multisite
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 4.9.4 |
Component: | Networks and Sites | Keywords: | needs-patch |
Focuses: | multisite | Cc: |
Description
On a multisite installation I am trying to exclude a role using editable_roles filter.
The role is removed from the dropdown but if I change the role value in the DOM using the inspector I can successfully add the excluded role.
This happens only on multisite installations. On single installations if I try to add an excluded role I get the message “Sorry, you are not allowed to give users that role.”
How to reproduce the issue:
- Unset a role using editable_roles filter.
- Login with any role that has the capability create_user.
- Add a new user changing any role value with the excluded role (using inspector).
Note: See
TracTickets for help on using
tickets.
I think that line 159 in
wp-admin/user-new.php
is the culprit here. It passes$_REQUEST['role']
towpmu_signup_user()
without checking if the role is editable.wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );