WP_REST_Users_Controller::check_role_update()protectedWP 4.7.0

Determines if the current user is allowed to make the desired roles change.

Method of the class: WP_REST_Users_Controller{}

No Hooks.

Return

true|WP_Error. True if the current user is allowed to make the role change, otherwise a WP_Error object.

Usage

// protected - for code of main (parent) or child class
$result = $this->check_role_update( $user_id, $roles );
$user_id(int) (required)
User ID.
$roles(array) (required)
New user roles.

Notes

  • Global. WP_Roles. $wp_roles WordPress role management object.

Changelog

Since 4.7.0 Introduced.

WP_REST_Users_Controller::check_role_update() code WP 6.6.2

protected function check_role_update( $user_id, $roles ) {
	global $wp_roles;

	foreach ( $roles as $role ) {

		if ( ! isset( $wp_roles->role_objects[ $role ] ) ) {
			return new WP_Error(
				'rest_user_invalid_role',
				/* translators: %s: Role key. */
				sprintf( __( 'The role %s does not exist.' ), $role ),
				array( 'status' => 400 )
			);
		}

		$potential_role = $wp_roles->role_objects[ $role ];

		/*
		 * Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
		 * Multisite super admins can freely edit their blog roles -- they possess all caps.
		 */
		if ( ! ( is_multisite()
			&& current_user_can( 'manage_sites' ) )
			&& get_current_user_id() === $user_id
			&& ! $potential_role->has_cap( 'edit_users' )
		) {
			return new WP_Error(
				'rest_user_invalid_role',
				__( 'Sorry, you are not allowed to give users that role.' ),
				array( 'status' => rest_authorization_required_code() )
			);
		}

		// Include user admin functions to get access to get_editable_roles().
		require_once ABSPATH . 'wp-admin/includes/user.php';

		// The new role must be editable by the logged-in user.
		$editable_roles = get_editable_roles();

		if ( empty( $editable_roles[ $role ] ) ) {
			return new WP_Error(
				'rest_user_invalid_role',
				__( 'Sorry, you are not allowed to give users that role.' ),
				array( 'status' => 403 )
			);
		}
	}

	return true;
}