[wp-trac] [WordPress Trac] #43251: editable_roles filter doesn't exclude role on multisite

Fri Feb 23 02:10:13 UTC 2018

#43251: editable_roles filter doesn't exclude role on multisite
--------------------------------+------------------------------
 Reporter:  eArtboard           |       Owner:
     Type:  defect (bug)        |      Status:  new
 Priority:  normal              |   Milestone:  Awaiting Review
Component:  Networks and Sites  |     Version:  4.9.4
 Severity:  normal              |  Resolution:
 Keywords:                      |     Focuses:  multisite
--------------------------------+------------------------------

Comment (by thomaswm):

 I think that [https://core.trac.wordpress.org/browser/tags/4.9.4/src/wp-
 admin/user-new.php#L159 line 159] in `wp-admin/user-new.php` is the
 culprit here. It passes `$_REQUEST['role']` to `wpmu_signup_user()`
 without checking if the role is editable.

 {{{#!php
 wpmu_signup_user( $new_user_login, $new_user_email, array( 'add_to_blog'
 => get_current_blog_id(), 'new_role' => $_REQUEST['role'] ) );
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/43251#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform