WP_REST_Users_Controller::check_role_update()
Determines if the current user is allowed to make the desired roles change.
Method of the class: WP_REST_Users_Controller{}
No Hooks.
Return
true|WP_Error
. True if the current user is allowed to make the role change, otherwise a WP_Error object.
Usage
// protected - for code of main (parent) or child class $result = $this->check_role_update( $user_id, $roles );
- $user_id(int) (required)
- User ID.
- $roles(array) (required)
- New user roles.
Notes
- Global. WP_Roles. $wp_roles WordPress role management object.
Changelog
Since 4.7.0 | Introduced. |
WP_REST_Users_Controller::check_role_update() WP REST Users Controller::check role update code WP 6.6.2
protected function check_role_update( $user_id, $roles ) { global $wp_roles; foreach ( $roles as $role ) { if ( ! isset( $wp_roles->role_objects[ $role ] ) ) { return new WP_Error( 'rest_user_invalid_role', /* translators: %s: Role key. */ sprintf( __( 'The role %s does not exist.' ), $role ), array( 'status' => 400 ) ); } $potential_role = $wp_roles->role_objects[ $role ]; /* * Don't let anyone with 'edit_users' (admins) edit their own role to something without it. * Multisite super admins can freely edit their blog roles -- they possess all caps. */ if ( ! ( is_multisite() && current_user_can( 'manage_sites' ) ) && get_current_user_id() === $user_id && ! $potential_role->has_cap( 'edit_users' ) ) { return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => rest_authorization_required_code() ) ); } // Include user admin functions to get access to get_editable_roles(). require_once ABSPATH . 'wp-admin/includes/user.php'; // The new role must be editable by the logged-in user. $editable_roles = get_editable_roles(); if ( empty( $editable_roles[ $role ] ) ) { return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => 403 ) ); } } return true; }