Make WordPress Core

Opened 7 years ago

Last modified 16 hours ago

#43251 assigned defect (bug)

editable_roles filter doesn't exclude role on multisite

Reported by: eartboard's profile eArtboard Owned by: ideag's profile ideag
Milestone: 6.8 Priority: normal
Severity: normal Version: 2.8
Component: Users Keywords: has-patch changes-requested has-unit-tests
Focuses: multisite Cc:

Description

On a multisite installation I am trying to exclude a role using editable_roles filter.

The role is removed from the dropdown but if I change the role value in the DOM using the inspector I can successfully add the excluded role.

This happens only on multisite installations. On single installations if I try to add an excluded role I get the message “Sorry, you are not allowed to give users that role.”

How to reproduce the issue:

  1. Unset a role using editable_roles filter.
  2. Login with any role that has the capability create_user.
  3. Add a new user changing any role value with the excluded role (using inspector).

Change History (7)

#1 @thomaswm
7 years ago

I think that line 159 in wp-admin/user-new.php is the culprit here. It passes $_REQUEST['role'] to wpmu_signup_user() without checking if the role is editable.

wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );

#2 @Hareesh Pillai
5 years ago

  • Keywords needs-patch added

This ticket was mentioned in PR #6808 on WordPress/wordpress-develop by @ideag.


6 months ago
#3

  • Keywords has-patch added; needs-patch removed

This adds a check to the create/add user to blog screen to match and allow only the roles that are displayed in the UI.

#4 @spacedmonkey
6 months ago

  • Milestone changed from Awaiting Review to 6.7
  • Owner set to ideag
  • Status changed from new to assigned

#5 @peterwilsoncc
5 months ago

  • Component changed from Networks and Sites to Users
  • Version changed from 4.9.4 to 2.8

I've added some notes to the linked pull request but agree this would be helpful to get in to WordPress 6.7.

I've set the version to 2.8 as that's when get_editable_roles() and the associated filter were introduced. It could be argued that it should be 3.0 as that's when Multisite was merged in to WordPress Core but let's not bikeshed it too much :)

#6 @peterwilsoncc
2 months ago

  • Keywords changes-requested added
  • Milestone changed from 6.7 to 6.8

I've moved this off the milestone as there are some change requests on the PR that will need to be followed up prior to commit.

Note: See TracTickets for help on using tickets.