Opened 15 months ago
Closed 3 months ago
#63068 closed defect (bug) (fixed)
Administrator Role Changed to "No Roles" Causes Internal Server Error
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Milestone: | 7.0 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | General | Keywords: | has-patch dev-feedback has-test-info |
| Focuses: | administration | Cc: |
Description
Environment Details:
WordPress Version: 6.8 Beta 1
PHP Version: 8.1
Database: MySQL 8.0 / MariaDB 10.5
Web Server: Apache/Nginx
Theme: Twenty Twenty-Four
Plugins Installed: WP Beta Tester
Bug Description:
After upgrading to WordPress 6.8 Beta 1, if the only Administrator user is changed to “No Roles Assigned”, the site crashes with an Internal Server Error (500). This should be handled gracefully and don't allow role change if tehre is only one user.
Expected Behavior
- WordPress should prevent removing the last Administrator role.
- An error message should be displayed instead of allowing the change.
- The system should gracefully handle such role changes instead of causing a site crash.
Actual Behavior
The site crashes immediately after saving the role change.
Steps to Reproduce
- Upgrade to WordPress 6.8 Beta 1.
- Ensure there is only one administrator account.
- Go to Users > All Users, select the administrator account.
- Change the role to “No Role for This Site” and save.
Result: The site shows a 500 Internal Server Error,
Attachments (3)
Change History (27)
#2
@
15 months ago
Hmm it appears that the issue was already here in 6.7.2. Therefore, I'm removing trunk version.
This ticket was mentioned in PR #8469 on WordPress/wordpress-develop by @audrasjb.
15 months ago
#4
- Keywords has-patch added
#5
@
15 months ago
- Keywords dev-feedback needs-testing added
Workaround patch to fix this issue: https://github.com/WordPress/wordpress-develop/pull/8469
@johnbillion commented on PR #8469:
15 months ago
#6
I don't believe the number of users is the issue. The same thing occurs if you try to change the role of your own admin account on a site where there are other users.
@audrasjb commented on PR #8469:
15 months ago
#7
I don't believe the number of users is the issue. The same thing occurs if you try to remove the role of your own admin account on a site where there are other users.
I suspected this but I wanted to propose a first workaround and then investigate a bit more.
@audrasjb commented on PR #8469:
15 months ago
#8
I edited the PR to change the conditional: it now checks whether the current user is trying to remove their own role.
#9
@
15 months ago
@johnbillion Yes. So removing active user role by themselves need to te be tested I think
#10
@
15 months ago
Test Report
Patch Tested: https://github.com/WordPress/wordpress-develop/pull/8469
Environment:
WordPress - 6.8-beta1
OS - Windows
Browser - Firefox
Theme: Twenty Twenty
PHP - 8.2.12
Active Plugin: None
Actual Results:
- Issue Resolved With Patch.✅
Screenshots:
- Added Attachment
#12
@
15 months ago
Test Report
PR Tested: https://github.com/WordPress/wordpress-develop/pull/8469
Test Environment [Playground]
- WordPress Version: 6.8beta1
- OS: macOS
- Browser Google Chrome
- WordPress Active Theme: Twenty Twenty-Five
- Active Plugin: None
- PHP version: 7.4.31-dev
- Database Client Version: 3.40.1
- Database Server Version: 5.5
Test Results
- Actual Result: Upon updating the role of the only admin account in the site to "No Role for This Site", it leads to a screen similar to white screen of death with an error message "Sorry, you cannot remove your own role.".
- Expected Result: Upon updating, it should show an error message in the dashboard itself instead of showing error on white screen.
Reference Screenshots: https://drive.google.com/file/d/1NWh3DZ2YPwuEsT4HCKAARinUD7siY7YN/view?usp=drive_link
@johnbillion commented on PR #8469:
15 months ago
#14
The underlying problem is that there is logic for this already, in https://github.com/WordPress/wordpress-develop/blob/trunk/src/wp-admin/users.php#L146-L153, but it only accounts for a user attempting to change their own role to one that doesn't have the promote_users capability. It doesn't account for a user attempting to remove their role.
I think the existing condition should be updated or extended to account for an attempt to remove the role, rather than introducing separate logic prior to iterating the list of users.
This ticket was mentioned in Slack in #core by audrasjb. View the logs.
15 months ago
#17
@
15 months ago
- Milestone changed from 6.8 to 6.9
As per today's bugscrub: The patch still needs some work, let's move it to 6.9.
This ticket was mentioned in PR #8829 on WordPress/wordpress-develop by @hugod.
13 months ago
#19
Follows https://github.com/WordPress/wordpress-develop/pull/8469.
Proposes a new patch according to this suggestion
Trac ticket: https://core.trac.wordpress.org/ticket/63068
#21
@
8 months ago
Test Report
Description
This report validates whether the indicated patch works as expected.
Patch tested: https://github.com/WordPress/wordpress-develop/pull/8829/
Environment
- WordPress: 6.9-alpha-60093-src
- PHP: 8.2.29
- Server: nginx/1.29.2
- Database: mysqli (Server: 8.4.6 / Client: mysqlnd 8.2.29)
- Browser: Chrome 140.0.0.0
- OS: Linux
- Theme: Twenty Twenty-Five 1.2
- MU Plugins: None activated
- Plugins:
- Gutenberg 21.7.0
- Test Reports 1.2.0
Actual Results
- ✅ Issue resolved with patch. It now using proper wp_die() instead of fatal errors.
Additional Notes
- Delete all other users except admin.
- Remove your role on Users -> All Users -> Role Dropdown on the filter -> "— No role for this site —" then click the Change button.
Supplemental Artifacts
Before: Check https://core.trac.wordpress.org/ticket/63068#comment:20
After: 
#22
@
7 months ago
- Milestone changed from 6.9 to 7.0
Since RC1 is just around the corner, I will punt this ticket to 7.0.
#23
@
4 months ago
Patch Testing Report
Patch Tested: https://github.com/WordPress/wordpress-develop/pull/8829
Environment
- WordPress: 7.0-alpha-61215-src
- PHP: 8.2.29
- Server: nginx/1.29.5
- Database: mysqli (Server: 8.4.8 / Client: mysqlnd 8.2.29)
- Browser: Chrome 145.0.0.0
- OS: macOS
- Theme: Twenty Twenty-Five 1.4
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.1
Steps Taken
- Confirmed there is only one Administrator user on the site.
- Logged in as that Administrator.
- Navigated to Users → All Users.
- Edited the Administrator account.
- Changed the role to “— No role for this site —”.
- Clicked Update.
- Result (Before Patch):
- Warning: Undefined array key "" in /var/www/src/wp-admin/users.php on line 148
- Fatal error: Uncaught Error: Call to a member function has_cap() on null in /var/www/src/wp-admin/users.php:148
- Stack trace: #0 {main} thrown in /var/www/src/wp-admin/users.php on line 148
- The site returned a fatal error and became inaccessible (500 error).
- Applied PR.
- Repeated steps 2–6.
- ✅ Result (After Patch): Patch is solving the problem.
Expected Result
- WordPress should prevent users from removing their own Administrator role.
- The system should not allow the last Administrator role to be removed.
- A proper error message should be displayed instead of causing a PHP warning or fatal error.
- The site should remain stable and accessible.
Screenshots / Screencast
- Before & After video: https://files.catbox.moe/qdf9nj.mp4
Screenshot of error page