WordPress.org
Get WordPress

Make WordPress Core

Changeset 60976


Ignore:
Timestamp:
10/19/2025 05:18:55 PM (3 months ago)
Author:
johnjamesjacoby
Message:

Networks and Sites: prevent a PHP error in wp-admin/network/site-users.php.

This change brings the multisite specific promote user action up-to-speed with the single-site one, by adding:

  • capability checks where appropriate
  • a none check on $role to set it to an empty string

It also updates the inline documentation of the single-site promote user action in users.php, to match the suggested additions to the multisite file.

Props ignatiusjeroe, jeremyfelt, johnjamesjacoby, pratiklondhe, shanemuir, sudipatel007, techpartho.

Fixes #61100.

Location:
trunk/src/wp-admin
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-admin/network/site-users.php

    r59789 r60976  
    140140        case 'promote':
    141141            check_admin_referer( 'bulk-users' );
     142
     143            if ( ! current_user_can( 'promote_users' ) ) {
     144                wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 );
     145            }
     146
    142147            $editable_roles = get_editable_roles();
    143148            $role           = $_REQUEST['new_role'];
    144149
     150            // Mock `none` as editable role.
     151            $editable_roles['none'] = array(
     152                'name' => __( '— No role for this site —' ),
     153            );
     154
    145155            if ( empty( $editable_roles[ $role ] ) ) {
    146156                wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 );
     157            }
     158
     159            if ( 'none' === $role ) {
     160                $role = '';
    147161            }
    148162
     
    152166                foreach ( $userids as $user_id ) {
    153167                    $user_id = (int) $user_id;
     168
     169                    if ( ! current_user_can( 'promote_user', $user_id ) ) {
     170                        wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 );
     171                    }
    154172
    155173                    // If the user doesn't already belong to the blog, bail.
     
    163181
    164182                    $user = get_userdata( $user_id );
     183
     184                    // If $role is empty, none will be set.
    165185                    $user->set_role( $role );
    166186                }

  • trunk/src/wp-admin/users.php

    r59789 r60976  
    123123        $role           = $_REQUEST['new_role'];
    124124
    125         // Mocking the `none` role so we are able to save it to the database
     125        // Mock `none` as editable role.
    126126        $editable_roles['none'] = array(
    127127            'name' => __( '— No role for this site —' ),
     
    163163
    164164            $user = get_userdata( $id );
     165
     166            // If $role is empty, none will be set.
    165167            $user->set_role( $role );
    166168        }
Note: See TracChangeset for help on using the changeset viewer.