Prevent user creating new users with specific roles

One step is to use the editable_roles filter to remove roles from the dropdown but this doesn’t prevent the user from modifying the select value and create a user with “not allowed” role.

Yes it does. This filter is not just for the dropdown. Modifying editable_roles does in fact prevent users from assigning a role they’re not allowed to.

This is because edit_user() (the function used for adding new users) calls get_editable_roles() as well and bails when one is not allowed to give users that role.

Here’s a simple example of what you can do:

/**
 * Removes Administrator from roles list if user isn't an admin themselves.
 *
 * This way, only admins can make new admins.
 *
 * @param array $all_roles List of roles.
 * @return array Modified list of roles.
 */
function wpse_293133_filter_editable_roles( $all_roles ) {
  if ( ! is_super_admin( get_current_user_id() ) ) {
    unset( $all_roles['administrator'] );
  }

  return $all_roles;
}

add_filter( 'editable_roles', 'wpse_293133_filter_editable_roles' );

Related Posts:

  1. A different role for each site in a multisite
  2. WPMU – new users are automatically subscribed to the main blog – how to prevent that?
  3. How to change a user role after registering in multisite?
  4. Easily adding multiple existing users to a multisite site
  5. Why are my roles not visible in a Multi-site/Network?
  6. wordpress multisite, how to keep user on subdomain throughout registration process?
  7. How to enable a site administrator to edit users in a WordPress network/ multisite setup?
  8. Possible to make custom role in multisite that can add sites?
  9. How to add multiple existing users to a multisite site?
  10. In MultiSite, can some users automatically have Site Admin rights on all sites, without granting them Network Admin access?
  11. create_users capabilities on a role on multisite
  12. Update User Role Across Network when Main Site User is Updated
  13. Assign role to user on first login, if they are first (after admin)
  14. Get the User ID Who Owns a Given Blog ID in Multisite
  15. Make a user administrator to a sub directory site and a contributor to main site in multisite network
  16. Displaying a message upon user registration
  17. How to change user starting role in WordPress MultiSite?
  18. Allow Author on Site A capability to upload files on Site B in Multi Site
  19. Add a user to a specific blog when they register?
  20. Add menu items/actions for multisite users who are registered on the network but do not have a role or capability in any sites
  21. Four columns in the wp_users table
  22. Subsite access without being a member of the subsite in wp multisite network
  23. Create Custom Multisite User Role to Reduce Capabilities
  24. Restrict Capability of Administrator to Create, Edit and Delete Pages in Multisite
  25. Copy user role on multisite so the user can access subsites with same role
  26. How to fix that new users show up again in subsite of a Multisite?
  27. WordPress Multisite Add User
  28. can’t create user without email for an author after converting single site to multisite
  29. Possible to have duplicate usernames on different two multisites
  30. Modify new user email notification in network admin screen wp multisite
  31. Users getting linked unwanted to main mu in WordPress multisite (WPMU)
  32. Can’t activate a user on multisite install
  33. Multisite “Skip Confirmation Email” Log Out Problem
  34. How to create child/sub user under parent user
  35. How create a multisite setup with “phantom” accounts and passwords?
  36. Is there any way to give all users access to one blog in a multisite network without using a plugin?
  37. How to give “author” user role appropriate capabilities to add PollDaddy polls? WordPress multisite
  38. Using a number for limiting registering or banning on multisite
  39. How To Add Custom Form Fields To The User Profile Page?
  40. How to allow an user role to create a new user under a role which lower than his level only?
  41. Remove Ability for Other Users to View Administrator in User List?
  42. How to use same email for multiple users
  43. Where can I find documentation on what characters are allowed in user names and why?
  44. How to let contributors to create a new revision(draft) editing their published posts
  45. Troubleshooting a “You do not have sufficient permissions to access this page” error
  46. Allowing periods in usernames
  47. Different back-end colour scheme for the different sites of a multisite
  48. Remove Site Name from register form – Multisite
  49. Set up collaborative site
  50. Integrating WordPress to my website, while keeping my own authentication system
  51. Add role across network in multisite
  52. Restrict users on multisite WordPress install
  53. \WP_User Object | What’s the Difference Between {caps} and {allcaps}?
  54. How to enable the theme editor cap for an editor role?
  55. Is there a wordpress function to cleanly delete an entry in the signups table?
  56. How-to Delay The Capability To Publish Posts?
  57. WordPress Multisite Layered Admins
  58. WordPress 3.2(Multisite) – How to add custom user meta fields to signup form?
  59. the blog owner multisite
  60. How can I get multisite primary blog (url or path) for current user?
  61. User role permissions based on taxonomies
  62. Avoid having infinite loops
  63. Create custom role, multisite, add users/sites?
  64. Multisite – One user allowed access to all sites?
  65. Roles for Custom Post Types
  66. Add a role and give admin priviledges
  67. WordPress stuck in deleting user
  68. How to display users with posts published between two dates (Sorted by Post-Count) [Multisite]
  69. Multisite – maximum number of users with specific role
  70. Remove superadmin role from the “change role to” menu in user listing
  71. How To Disable Add new users On Subsites In Multisite?
  72. Wait ajax to complete before continue loop
  73. How to hide some users to unlogged users [closed]
  74. How to delete user from MU site when the user is removed from their site?
  75. Redirect admin 403 “Cheatin uh?” admin pages
  76. WordPress multisite, allow non super admins to create sites
  77. How to share User Database between Two Multisite Installations + More
  78. Remove specific administrator’s capability
  79. Creating teams of users in WordPress
  80. Multisite ‘Welcome User Email’ SITE_NAME returns ‘network’ name, not the name of the blog
  81. Give users acces to admin a single post or set up WP network?
  82. Restrict users of site 1 to login in site 2 in wordpress multisite
  83. “My Sites” incorrectly showing all network sites for all logged in users
  84. Allow a user or role to view drafts and previews, but not other admin privileges?
  85. User registration on wordpress multisite
  86. Admin users not able to see network menus
  87. User Roles in multisite – odd behavior
  88. Multisite – site user limited only for this site
  89. WordPress single sign on using cookies with shared user role functionality between more than 2 wordpress subdomains
  90. Activation of new Registered site fails on multisite
  91. Get current user outside of WordPress Multisite
  92. Multisite – User creation for second site from first site?
  93. WordPress MU users – how are they organized?
  94. Get users from all/specific blog by user_role and current_user role
  95. Possible to set new user’s site time zone at user creation using Gravity Forms?
  96. multisite registration: check existing subdomains while typing
  97. Registration Page
  98. Unsure of my options, Multi-blog?
  99. WordPress Multisite (Network) some site users added to main site users list as subscriber
  100. Change a subsite Admin role of a WordPress Multisite after 24 hours registering

Leave a Comment