Fix: Improve editable_roles validation in multisite environments

WordPress · Dec 12, 2024 · 29622ae · 29622ae
1 parent 9104190
commit 29622ae
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 0 deletions.
diff --git a/src/wp-admin/includes/ms.php b/src/wp-admin/includes/ms.php
@@ -1172,3 +1172,17 @@ function get_site_screen_help_sidebar_content() {
 		'<p>' . __( '<a href="https://developer.wordpress.org/advanced-administration/multisite/admin/#network-admin-sites-screen">Documentation on Site Management</a>' ) . '</p>' .
 		'<p>' . __( '<a href="https://wordpress.org/support/forum/multisite/">Support forums</a>' ) . '</p>';
 }
+
+/**
+ * Stop execution if the role can not be assigned by the current user.
+ *
+ * @since 6.8.0
+ *
+ * @param string $role Role the user is attempting to assign.
+ */
+function wp_ensure_editable_role( $role ) {
+	$roles = get_editable_roles();
+	if ( ! isset( $roles[ $role ] ) ) {
+		wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 );
+	}
+}
diff --git a/src/wp-admin/user-new.php b/src/wp-admin/user-new.php
@@ -69,6 +69,9 @@
 		$redirect = add_query_arg( array( 'update' => 'addexisting' ), 'user-new.php' );
 	} else {
 		if ( isset( $_POST['noconfirmation'] ) && current_user_can( 'manage_network_users' ) ) {
+
+			wp_ensure_editable_role( $_REQUEST['role'] );
+
 			$result = add_existing_user_to_blog(
 				array(
 					'user_id' => $user_id,
@@ -225,6 +228,8 @@
 				add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email.
 			}
 
+			wp_ensure_editable_role( $_REQUEST['role'] );
+
 			wpmu_signup_user(
 				$new_user_login,
 				$new_user_email,

diff --git a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
@@ -220,6 +220,54 @@ public function test_signup_nonce_check_invalid() {
 
 			$this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
 		}
+
+		/**
+		 * Ensure that wp_ensure_editable_role does not throw an exception when the role is editable.
+		 *
+		 * @ticket 43251
+		 *
+		 * @covers ::wp_ensure_editable_role
+		 */
+		public function test_wp_ensure_editable_role_allows_editable_roles() {
+			$role = get_role( 'editor' );
+			$this->assertInstanceOf( 'WP_Role', $role, 'The editor role should exist.' );
+			$this->assertNull( wp_ensure_editable_role( 'editor' ), 'The editor role should be editable.' );
+		}
+
+		/**
+		 * Ensure that wp_ensure_editable_role throws an exception for non-existent roles.
+		 *
+		 * @ticket 43251
+		 *
+		 * @covers ::wp_ensure_editable_role
+		 */
+		public function test_wp_ensure_editable_role_does_not_allow_non_existent_role() {
+			$this->expectException( 'WPDieException' );
+			$role = get_role( 'non-existent-role' );
+			$this->assertNotInstanceOf( 'WP_Role', $role, 'The non-existent-role role should not exist.' );
+			wp_ensure_editable_role( 'non-existent-role' );
+		}
+
+		/**
+		 * Ensure that wp_ensure_editable_role throws an exception for roles that are not editable.
+		 *
+		 * @ticket 43251
+		 *
+		 * @covers ::wp_ensure_editable_role
+		 */
+		public function test_wp_ensure_editable_role_does_not_allow_uneditable_roles() {
+			add_filter(
+				'editable_roles',
+				function ( $roles ) {
+					unset( $roles['editor'] );
+					return $roles;
+				}
+			);
+			$this->expectException( 'WPDieException' );
+			$role = get_role( 'editor' );
+			$this->assertInstanceOf( 'WP_Role', $role, 'The editor role should exist.' );
+			wp_ensure_editable_role( 'editor' );
+		}
 	}
 
 endif;