Users: Disallow bulk editing a single user with no roles.

This changeset prevents users from removing their own role when bulk editing user roles.

Props jomonthomaslobo1, johnbillion, hugod, audrasjb, shailu25, rishavdutta, rollybueno.
Fixes #63068.


Built from https://develop.svn.wordpress.org/trunk@62026


git-svn-id: http://core.svn.wordpress.org/trunk@61308 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/users.php

@@ -143,13 +143,18 @@ switch ( $wp_list_table->current_action() ) {
 				wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 );
 			}
 
-			// The new role of the current user must also have the promote_users cap or be a multisite super admin.
-			if ( $id === $current_user->ID
-				&& ! $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' )
-				&& ! ( is_multisite() && current_user_can( 'manage_network_users' ) )
-			) {
-					$update = 'err_admin_role';
+			// The new role of the current user must also have the promote_users cap, be a multisite super admin and must not be empty.
+			if ( $id === $current_user->ID ) {
+				if ( '' === $role ) {
+					wp_die( __( 'Sorry, you cannot remove your own role.' ), 403 );
+				}
+
+				if ( $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' ) || ( is_multisite() && current_user_can( 'manage_network_users' ) ) ) {
 					continue;
+				}
+
+				$update = 'err_admin_role';
+				continue;
 			}
 
 			// If the user doesn't already belong to the blog, bail.

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '7.0-beta5-62025';
+$wp_version = '7.0-beta5-62026';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.