Opened 7 years ago
Last modified 16 hours ago
#43251 assigned defect (bug)
editable_roles filter doesn't exclude role on multisite
Reported by: | eArtboard | Owned by: | ideag |
---|---|---|---|
Milestone: | 6.8 | Priority: | normal |
Severity: | normal | Version: | 2.8 |
Component: | Users | Keywords: | has-patch changes-requested has-unit-tests |
Focuses: | multisite | Cc: |
Description
On a multisite installation I am trying to exclude a role using editable_roles filter.
The role is removed from the dropdown but if I change the role value in the DOM using the inspector I can successfully add the excluded role.
This happens only on multisite installations. On single installations if I try to add an excluded role I get the message “Sorry, you are not allowed to give users that role.”
How to reproduce the issue:
- Unset a role using editable_roles filter.
- Login with any role that has the capability create_user.
- Add a new user changing any role value with the excluded role (using inspector).
Change History (7)
This ticket was mentioned in PR #6808 on WordPress/wordpress-develop by @ideag.
6 months ago
#3
- Keywords has-patch added; needs-patch removed
This adds a check to the create/add user to blog screen to match and allow only the roles that are displayed in the UI.
#4
@
6 months ago
- Milestone changed from Awaiting Review to 6.7
- Owner set to ideag
- Status changed from new to assigned
#5
@
5 months ago
- Component changed from Networks and Sites to Users
- Version changed from 4.9.4 to 2.8
I've added some notes to the linked pull request but agree this would be helpful to get in to WordPress 6.7.
I've set the version to 2.8 as that's when get_editable_roles()
and the associated filter were introduced. It could be argued that it should be 3.0 as that's when Multisite was merged in to WordPress Core but let's not bikeshed it too much :)
#6
@
2 months ago
- Keywords changes-requested added
- Milestone changed from 6.7 to 6.8
I've moved this off the milestone as there are some change requests on the PR that will need to be followed up prior to commit.
This ticket was mentioned in PR #7999 on WordPress/wordpress-develop by @sukhendu2002.
16 hours ago
#7
- Keywords has-unit-tests added
Trac ticket: https://core.trac.wordpress.org/ticket/43251
Existing PR: https://github.com/WordPress/wordpress-develop/pull/6808
I think that line 159 in
wp-admin/user-new.php
is the culprit here. It passes$_REQUEST['role']
towpmu_signup_user()
without checking if the role is editable.wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog' => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );