Users: Use editable_roles filter for multisite sub-sites.

Adds a check of the `editable_roles` filter when adding users to a multisite sub-site to ensure the role is permitted to be used on the network. If the role is blocked by the filter, attempting to add the role will trigger a `wp_die()` similar to attempting to add a user with the role on a single site install. Props eartboard, hareesh-pillai, ideag, sukhendu2002, spacedmonkey, thomaswm. Fixes #43251. Built from https://develop.svn.wordpress.org/trunk@59901 git-svn-id: http://core.svn.wordpress.org/trunk@59243 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2025-12-05 11:24:25 +01:00 · 2025-03-02 23:35:23 +00:00 · 2025-03-02 23:35:23 +00:00 · a10c294d3e
commit a10c294d3e
parent f385ca5e98
3 changed files with 20 additions and 1 deletions
--- a/wp-admin/includes/ms.php
+++ b/wp-admin/includes/ms.php
@ -1172,3 +1172,17 @@ function get_site_screen_help_sidebar_content() {
 		'<p>' . __( '<a href="https://developer.wordpress.org/advanced-administration/multisite/admin/#network-admin-sites-screen">Documentation on Site Management</a>' ) . '</p>' .
 		'<p>' . __( '<a href="https://wordpress.org/support/forum/multisite/">Support forums</a>' ) . '</p>';
 }
+
+/**
+ * Stop execution if the role can not be assigned by the current user.
+ *
+ * @since 6.8.0
+ *
+ * @param string $role Role the user is attempting to assign.
+ */
+function wp_ensure_editable_role( $role ) {
+	$roles = get_editable_roles();
+	if ( ! isset( $roles[ $role ] ) ) {
+		wp_die( __( 'Sorry, you are not allowed to give users that role.' ), 403 );
+	}
+}
--- a/wp-admin/user-new.php
+++ b/wp-admin/user-new.php
@ -69,6 +69,9 @@ if ( isset( $_REQUEST['action'] ) && 'adduser' === $_REQUEST['action'] ) {
 		$redirect = add_query_arg( array( 'update' => 'addexisting' ), 'user-new.php' );
 	} else {
 		if ( isset( $_POST['noconfirmation'] ) && current_user_can( 'manage_network_users' ) ) {
+
+			wp_ensure_editable_role( $_REQUEST['role'] );
+
 			$result = add_existing_user_to_blog(
 				array(
 					'user_id' => $user_id,
@ -225,6 +228,8 @@ Please click the following link to confirm the invite:
 				add_filter( 'wpmu_welcome_user_notification', '__return_false' ); // Disable welcome email.
 			}

+			wp_ensure_editable_role( $_REQUEST['role'] );
+
 			wpmu_signup_user(
 				$new_user_login,
 				$new_user_email,
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.8-alpha-59900';
+$wp_version = '6.8-alpha-59901';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.