Changeset 62026

Timestamp:

03/14/2026 08:14:30 AM (less than one hour ago)

Author:

audrasjb

Message:

Users: Disallow bulk editing a single user with no roles.

This changeset prevents users from removing their own role when bulk editing user roles.

Props jomonthomaslobo1, johnbillion, hugod, audrasjb, shailu25, rishavdutta, rollybueno.
Fixes #63068.

File:

• trunk/src/wp-admin/users.php (modified) (1 diff)

trunk/src/wp-admin/users.php

@@ -144 +144 @@
             }
 
-            // The new role of the current user must also have the promote_users cap or be a multisite super admin.
-            if ( $id === $current_user->ID
-                && ! $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' )
-                && ! ( is_multisite() && current_user_can( 'manage_network_users' ) )
-            ) {
-                    $update = 'err_admin_role';
+            // The new role of the current user must also have the promote_users cap, be a multisite super admin and must not be empty.
+            if ( $id === $current_user->ID ) {
+                if ( '' === $role ) {
+                    wp_die( __( 'Sorry, you cannot remove your own role.' ), 403 );
+                }
+
+                if ( $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' ) || ( is_multisite() && current_user_can( 'manage_network_users' ) ) ) {
                     continue;
+                }
+
+                $update = 'err_admin_role';
+                continue;
             }