' . __( 'Documentation on Site Management' ) . '
' . '' . __( 'Support forums' ) . '
'; } + +/** + * Stop execution if the role can not be assigned by the current user. + * + * @since 6.8.0 + * + * @param string $role Role the user is attempting to assign. + */ +function wp_ensure_editable_role( $role ) { + $roles = get_editable_roles(); + if ( ! isset( $roles[ $role ] ) ) { + wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 ); + } +} diff --git a/wp-admin/user-new.php b/wp-admin/user-new.php index aed07ff1c3..cdc1dfef1e 100644 --- a/wp-admin/user-new.php +++ b/wp-admin/user-new.php @@ -69,6 +69,9 @@ if ( isset( $_REQUEST['action'] ) && 'adduser' === $_REQUEST['action'] ) { $redirect = add_query_arg( array( 'update' => 'addexisting' ), 'user-new.php' ); } else { if ( isset( $_POST['noconfirmation'] ) && current_user_can( 'manage_network_users' ) ) { + + wp_ensure_editable_role( $_REQUEST['role'] ); + $result = add_existing_user_to_blog( array( 'user_id' => $user_id, @@ -225,6 +228,8 @@ Please click the following link to confirm the invite: add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email. } + wp_ensure_editable_role( $_REQUEST['role'] ); + wpmu_signup_user( $new_user_login, $new_user_email, diff --git a/wp-includes/version.php b/wp-includes/version.php index 5718843aa4..2da39cba91 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.8-alpha-59900'; +$wp_version = '6.8-alpha-59901'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.