WP_REST_Users_Controller::check_role_update() WordPress Method

The WP_REST_Users_Controller::check_role_update() method is used to check if a user is allowed to update their role. This is done by checking if the current user has the 'edit_user' capability.

WP_REST_Users_Controller::check_role_update( int $user_id, array $roles ) #

Determines if the current user is allowed to make the desired roles change.

Contents

Parameters

$user_id

(int)(Required)User ID.

$roles

(array)(Required)New user roles.

Top ↑

Return

(true|WP_Error) True if the current user is allowed to make the role change, otherwise a WP_Error object.

Top ↑

Source

File: wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php

	protected function check_role_update( $user_id, $roles ) {
		global $wp_roles;

		foreach ( $roles as $role ) {

			if ( ! isset( $wp_roles->role_objects[ $role ] ) ) {
				return new WP_Error(
					'rest_user_invalid_role',
					/* translators: %s: Role key. */
					sprintf( __( 'The role %s does not exist.' ), $role ),
					array( 'status' => 400 )
				);
			}

			$potential_role = $wp_roles->role_objects[ $role ];

			/*
			 * Don't let anyone with 'edit_users' (admins) edit their own role to something without it.
			 * Multisite super admins can freely edit their blog roles -- they possess all caps.
			 */
			if ( ! ( is_multisite()
				&& current_user_can( 'manage_sites' ) )
				&& get_current_user_id() === $user_id
				&& ! $potential_role->has_cap( 'edit_users' )
			) {
				return new WP_Error(
					'rest_user_invalid_role',
					__( 'Sorry, you are not allowed to give users that role.' ),
					array( 'status' => rest_authorization_required_code() )
				);
			}

			// Include user admin functions to get access to get_editable_roles().
			require_once ABSPATH . 'wp-admin/includes/user.php';

			// The new role must be editable by the logged-in user.
			$editable_roles = get_editable_roles();

			if ( empty( $editable_roles[ $role ] ) ) {
				return new WP_Error(
					'rest_user_invalid_role',
					__( 'Sorry, you are not allowed to give users that role.' ),
					array( 'status' => 403 )
				);
			}
		}

		return true;
	}

Expand full source codeCollapse full source codeView on TracView on GitHub

Top ↑

Top ↑

Uses

Uses
UsesDescription
wp-includes/rest-api.php:rest_authorization_required_code()

Returns a contextual HTTP error code for authorization failure.

wp-admin/includes/user.php:get_editable_roles()

Fetch a filtered list of user roles that the current user is allowed to edit.

wp-includes/capabilities.php:current_user_can()

Returns whether the current user has the specified capability.

wp-includes/l10n.php:__()

Retrieve the translation of $text.

wp-includes/load.php:is_multisite()

If Multisite is enabled.

wp-includes/user.php:get_current_user_id()

Gets the current user’s ID.

wp-includes/class-wp-error.php:WP_Error::__construct()

Initializes the error.

Show 2 more usesHide more uses

Top ↑

Changelog

Changelog
VersionDescription
4.7.0Introduced.
Download the latest version of WordPress from https://wordpress.org/

The content displayed on this page has been created in part by processing WordPress source code files which are made available under the GPLv2 (or a later version) license by theĀ Free Software Foundation. In addition to this, the content includes user-written examples and information. All material is subject to review and curation by the WPPaste.com community.