Make WordPress Core

Opened 6 years ago

Last modified 4 years ago

#43251 new defect (bug)

editable_roles filter doesn't exclude role on multisite

Reported by: eartboard's profile eArtboard Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9.4
Component: Networks and Sites Keywords: needs-patch
Focuses: multisite Cc:


On a multisite installation I am trying to exclude a role using editable_roles filter.

The role is removed from the dropdown but if I change the role value in the DOM using the inspector I can successfully add the excluded role.

This happens only on multisite installations. On single installations if I try to add an excluded role I get the message “Sorry, you are not allowed to give users that role.”

How to reproduce the issue:

  1. Unset a role using editable_roles filter.
  2. Login with any role that has the capability create_user.
  3. Add a new user changing any role value with the excluded role (using inspector).

Change History (2)

#1 @thomaswm
6 years ago

I think that line 159 in wp-admin/user-new.php is the culprit here. It passes $_REQUEST['role'] to wpmu_signup_user() without checking if the role is editable.

wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );

#2 @Hareesh Pillai
4 years ago

  • Keywords needs-patch added
Note: See TracTickets for help on using tickets.