From 0eddfae7fbdbe196b19dee983a7f91c00da17cda Mon Sep 17 00:00:00 2001 From: audrasjb Date: Sat, 14 Mar 2026 08:15:46 +0000 Subject: [PATCH] Users: Disallow bulk editing a single user with no roles. This changeset prevents users from removing their own role when bulk editing user roles. Props jomonthomaslobo1, johnbillion, hugod, audrasjb, shailu25, rishavdutta, rollybueno. Fixes #63068. Built from https://develop.svn.wordpress.org/trunk@62026 git-svn-id: http://core.svn.wordpress.org/trunk@61308 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/users.php | 17 +++++++++++------ wp-includes/version.php | 2 +- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/wp-admin/users.php b/wp-admin/users.php index 2d4de31d3d..650f810275 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -143,13 +143,18 @@ switch ( $wp_list_table->current_action() ) { wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 ); } - // The new role of the current user must also have the promote_users cap or be a multisite super admin. - if ( $id === $current_user->ID - && ! $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' ) - && ! ( is_multisite() && current_user_can( 'manage_network_users' ) ) - ) { - $update = 'err_admin_role'; + // The new role of the current user must also have the promote_users cap, be a multisite super admin and must not be empty. + if ( $id === $current_user->ID ) { + if ( '' === $role ) { + wp_die( __( 'Sorry, you cannot remove your own role.' ), 403 ); + } + + if ( $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' ) || ( is_multisite() && current_user_can( 'manage_network_users' ) ) ) { continue; + } + + $update = 'err_admin_role'; + continue; } // If the user doesn't already belong to the blog, bail. diff --git a/wp-includes/version.php b/wp-includes/version.php index 3a2536405d..fa73bc8055 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '7.0-beta5-62025'; +$wp_version = '7.0-beta5-62026'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.