Prevent user creating new users with specific roles

One step is to use the editable_roles filter to remove roles from the dropdown but this doesn’t prevent the user from modifying the select value and create a user with “not allowed” role.

Yes it does. This filter is not just for the dropdown. Modifying editable_roles does in fact prevent users from assigning a role they’re not allowed to.

This is because edit_user() (the function used for adding new users) calls get_editable_roles() as well and bails when one is not allowed to give users that role.

Here’s a simple example of what you can do:

/**
 * Removes Administrator from roles list if user isn't an admin themselves.
 *
 * This way, only admins can make new admins.
 *
 * @param array $all_roles List of roles.
 * @return array Modified list of roles.
 */
function wpse_293133_filter_editable_roles( $all_roles ) {
  if ( ! is_super_admin( get_current_user_id() ) ) {
    unset( $all_roles['administrator'] );
  }

  return $all_roles;
}

add_filter( 'editable_roles', 'wpse_293133_filter_editable_roles' );

Related Posts:

  1. A different role for each site in a multisite
  2. WPMU – new users are automatically subscribed to the main blog – how to prevent that?
  3. How to change a user role after registering in multisite?
  4. Easily adding multiple existing users to a multisite site
  5. Why are my roles not visible in a Multi-site/Network?
  6. wordpress multisite, how to keep user on subdomain throughout registration process?
  7. How to enable a site administrator to edit users in a WordPress network/ multisite setup?
  8. Possible to make custom role in multisite that can add sites?
  9. How to add multiple existing users to a multisite site?
  10. In MultiSite, can some users automatically have Site Admin rights on all sites, without granting them Network Admin access?
  11. create_users capabilities on a role on multisite
  12. Update User Role Across Network when Main Site User is Updated
  13. Assign role to user on first login, if they are first (after admin)
  14. Get the User ID Who Owns a Given Blog ID in Multisite
  15. Make a user administrator to a sub directory site and a contributor to main site in multisite network
  16. Displaying a message upon user registration
  17. How to change user starting role in WordPress MultiSite?
  18. Allow Author on Site A capability to upload files on Site B in Multi Site
  19. Add a user to a specific blog when they register?
  20. Add menu items/actions for multisite users who are registered on the network but do not have a role or capability in any sites
  21. Four columns in the wp_users table
  22. Subsite access without being a member of the subsite in wp multisite network
  23. Create Custom Multisite User Role to Reduce Capabilities
  24. Restrict Capability of Administrator to Create, Edit and Delete Pages in Multisite
  25. Copy user role on multisite so the user can access subsites with same role
  26. How to fix that new users show up again in subsite of a Multisite?
  27. WordPress Multisite Add User
  28. can’t create user without email for an author after converting single site to multisite
  29. Possible to have duplicate usernames on different two multisites
  30. Modify new user email notification in network admin screen wp multisite
  31. Users getting linked unwanted to main mu in WordPress multisite (WPMU)
  32. Can’t activate a user on multisite install
  33. Multisite “Skip Confirmation Email” Log Out Problem
  34. How to create child/sub user under parent user
  35. How create a multisite setup with “phantom” accounts and passwords?
  36. Is there any way to give all users access to one blog in a multisite network without using a plugin?
  37. How to give “author” user role appropriate capabilities to add PollDaddy polls? WordPress multisite
  38. Using a number for limiting registering or banning on multisite
  39. Non-super-admin users cannot access CPT even though I have explicitly added the capabilities to the user role
  40. Getting a List of Currently Available Roles on a WordPress Site?
  41. Editor can create any new user except administrator
  42. How To Add Custom Form Fields To The User Profile Page?
  43. Where are available Roles Defined in the wp_ database?
  44. How to allow an user role to create a new user under a role which lower than his level only?
  45. Site admin in a network install can’t edit users?
  46. Remove Ability for Other Users to View Administrator in User List?
  47. How to use same email for multiple users
  48. Where can I find documentation on what characters are allowed in user names and why?
  49. How can I un-reserve a pending username registration?
  50. How do I programmatically set default role for new users?
  51. Is there a is_user_logged_in() for multisite?
  52. Groups of capabilities: users with multiple roles?
  53. User-edit role setting distinct from wp_capabilities? [closed]
  54. WordPress Multisite allow site admin to add user without email confirmation
  55. How to let contributors to create a new revision(draft) editing their published posts
  56. How to allow mixed case characters in multisite site name?
  57. Multisite – each site with it’s own set of users
  58. User Roles in multisite – odd behavior
  59. Multisite – site user limited only for this site
  60. WordPress single sign on using cookies with shared user role functionality between more than 2 wordpress subdomains
  61. User / membership Plugin [closed]
  62. WordPress Multisite Network Subdomain
  63. Importing Posts into New Website with Same User ID’s
  64. WordPress automatic Login on other page?
  65. Multisite: How to bypass wpmu_signup_user_notification and add my own notification logic?
  66. Groups roles & capabilities
  67. Allow users to register on multisite through WooCommerce using the same email address
  68. Multisite error when adding a user: already a member of this site
  69. Activation of new Registered site fails on multisite
  70. Is Multisite the RIGHT option for my case?
  71. Subscriber role – blank page
  72. Should I use MultiSite for a subdomain based wp site?
  73. User registration problem on multisites web
  74. Get current user outside of WordPress Multisite
  75. Multisite – User creation for second site from first site?
  76. How to Create WPMu New User?
  77. Multisite vs Role Scoper
  78. WordPress MU users – how are they organized?
  79. Get users from all/specific blog by user_role and current_user role
  80. Possible to set new user’s site time zone at user creation using Gravity Forms?
  81. multisite registration: check existing subdomains while typing
  82. How can I display all Multisite blogs where this user is administrator?
  83. Redirect authors from upload.php url to Home page in Multisite
  84. WordPress multi user registration sites
  85. Registration Page
  86. Multisite and users being listed on network administration dashboard and not main site dashboard
  87. Want to add post to user dashboard
  88. How to use same email for multiple users? [duplicate]
  89. file upload user profile
  90. Unsure of my options, Multi-blog?
  91. WordPress Multisite (Network) some site users added to main site users list as subscriber
  92. WordPress Multisite restict user access
  93. current_user_can() returning true for capability when the user and role do not have the capability
  94. Multisite Login Access Restrictions
  95. Change a subsite Admin role of a WordPress Multisite after 24 hours registering
  96. How to use 2 different databases but share the same user in wordpress
  97. How to add default folders to Every registered User when registered in WordPress site?
  98. Condionally/limited emails from system (cantact-form, registration, passwd reset)With
  99. How can I get all capabilities for a particular user?
  100. Allowing a CPT post to be edited by a single user role

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)