WordPress.org
Get WordPress

Make WordPress Core

Opened 7 years ago

Closed 3 weeks ago

Last modified 3 weeks ago

#43251 closed defect (bug) (fixed)

editable_roles filter doesn't exclude role on multisite

Reported by: eartboard's profile eArtboard Owned by: peterwilsoncc's profile peterwilsoncc
Milestone: 6.8 Priority: normal
Severity: normal Version: 2.8
Component: Users Keywords: has-patch has-unit-tests commit
Focuses: multisite Cc:

Description

On a multisite installation I am trying to exclude a role using editable_roles filter.

The role is removed from the dropdown but if I change the role value in the DOM using the inspector I can successfully add the excluded role.

This happens only on multisite installations. On single installations if I try to add an excluded role I get the message “Sorry, you are not allowed to give users that role.”

How to reproduce the issue:

  1. Unset a role using editable_roles filter.
  2. Login with any role that has the capability create_user.
  3. Add a new user changing any role value with the excluded role (using inspector).

Change History (14)

#1 @thomaswm
7 years ago

I think that line 159 in wp-admin/user-new.php is the culprit here. It passes $_REQUEST['role'] to wpmu_signup_user() without checking if the role is editable.

wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );

#2 @Hareesh Pillai
5 years ago

  • Keywords needs-patch added

This ticket was mentioned in PR #6808 on WordPress/wordpress-develop by @ideag.
9 months ago #3

  • Keywords has-patch added; needs-patch removed

This adds a check to the create/add user to blog screen to match and allow only the roles that are displayed in the UI.

#4 @spacedmonkey
9 months ago

  • Milestone changed from Awaiting Review to 6.7
  • Owner set to ideag
  • Status changed from new to assigned

#5 @peterwilsoncc
8 months ago

  • Component changed from Networks and Sites to Users
  • Version changed from 4.9.4 to 2.8

I've added some notes to the linked pull request but agree this would be helpful to get in to WordPress 6.7.

I've set the version to 2.8 as that's when get_editable_roles() and the associated filter were introduced. It could be argued that it should be 3.0 as that's when Multisite was merged in to WordPress Core but let's not bikeshed it too much :)

#6 @peterwilsoncc
5 months ago

  • Keywords changes-requested added
  • Milestone changed from 6.7 to 6.8

I've moved this off the milestone as there are some change requests on the PR that will need to be followed up prior to commit.

#8 @peterwilsoncc
3 weeks ago

  • Keywords commit added; changes-requested removed

The follow up PR implements the changes suggested in the original, thanks @sukhendu2002, so I think this is good to go in.

#9 @ideag
3 weeks ago

Can I please be removed from this ticket? Thank you!

#10 @peterwilsoncc
3 weeks ago

  • Owner changed from ideag to peterwilsoncc

@ideag I've assigned myself as the owner your place. I don't think I can block you from receiving notifications about this ticket but I'm about to commit the code so there shouldn't be too many more emails.

#11 @peterwilsoncc
3 weeks ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 59901:

Users: Use editable_roles filter for multisite sub-sites.

Adds a check of the editable_roles filter when adding users to a multisite sub-site to ensure the role is permitted to be used on the network. If the role is blocked by the filter, attempting to add the role will trigger a wp_die() similar to attempting to add a user with the role on a single site install.

Props eartboard, hareesh-pillai, ideag, sukhendu2002, spacedmonkey, thomaswm.
Fixes #43251.

#12 @ideag
3 weeks ago

I am not concerned about the emails. I do want to avoid receiving props for this one.

#13 @peterwilsoncc
3 weeks ago

@ideag I've removed your credit from the system, as discussed.

#14 @ideag
3 weeks ago

Thank you!

Note: See TracTickets for help on using tickets.