WP_REST_Users_Controller::check_role_update( int $user_id, array $roles )
Determines if the current user is allowed to make the desired roles change.
Parameters
- $user_id
-
(Required) User ID.
- $roles
-
(Required) New user roles.
Return
(true|WP_Error) True if the current user is allowed to make the role change, otherwise a WP_Error object.
Source
File: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php
protected function check_role_update( $user_id, $roles ) {
global $wp_roles;
foreach ( $roles as $role ) {
if ( ! isset( $wp_roles->role_objects[ $role ] ) ) {
/* translators: %s: role key */
return new WP_Error( 'rest_user_invalid_role', sprintf( __( 'The role %s does not exist.' ), $role ), array( 'status' => 400 ) );
}
$potential_role = $wp_roles->role_objects[ $role ];
/*
* Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
* Multisite super admins can freely edit their blog roles -- they possess all caps.
*/
if ( ! ( is_multisite()
&& current_user_can( 'manage_sites' ) )
&& get_current_user_id() === $user_id
&& ! $potential_role->has_cap( 'edit_users' )
) {
return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => rest_authorization_required_code() ) );
}
/** Include admin functions to get access to get_editable_roles() */
require_once ABSPATH . 'wp-admin/includes/admin.php';
// The new role must be editable by the logged-in user.
$editable_roles = get_editable_roles();
if ( empty( $editable_roles[ $role ] ) ) {
return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => 403 ) );
}
}
return true;
}
Changelog
Version | Description |
---|---|
4.7.0 | Introduced. |