Prevent user creating new users with specific roles

One step is to use the editable_roles filter to remove roles from the dropdown but this doesn’t prevent the user from modifying the select value and create a user with “not allowed” role.

Yes it does. This filter is not just for the dropdown. Modifying editable_roles does in fact prevent users from assigning a role they’re not allowed to.

This is because edit_user() (the function used for adding new users) calls get_editable_roles() as well and bails when one is not allowed to give users that role.

Here’s a simple example of what you can do:

/**
 * Removes Administrator from roles list if user isn't an admin themselves.
 *
 * This way, only admins can make new admins.
 *
 * @param array $all_roles List of roles.
 * @return array Modified list of roles.
 */
function wpse_293133_filter_editable_roles( $all_roles ) {
  if ( ! is_super_admin( get_current_user_id() ) ) {
    unset( $all_roles['administrator'] );
  }

  return $all_roles;
}

add_filter( 'editable_roles', 'wpse_293133_filter_editable_roles' );

Related Posts:

  1. A different role for each site in a multisite
  2. WPMU – new users are automatically subscribed to the main blog – how to prevent that?
  3. How to change a user role after registering in multisite?
  4. Easily adding multiple existing users to a multisite site
  5. Why are my roles not visible in a Multi-site/Network?
  6. wordpress multisite, how to keep user on subdomain throughout registration process?
  7. How to enable a site administrator to edit users in a WordPress network/ multisite setup?
  8. Possible to make custom role in multisite that can add sites?
  9. How to add multiple existing users to a multisite site?
  10. In MultiSite, can some users automatically have Site Admin rights on all sites, without granting them Network Admin access?
  11. create_users capabilities on a role on multisite
  12. Update User Role Across Network when Main Site User is Updated
  13. Assign role to user on first login, if they are first (after admin)
  14. Get the User ID Who Owns a Given Blog ID in Multisite
  15. Make a user administrator to a sub directory site and a contributor to main site in multisite network
  16. Displaying a message upon user registration
  17. How to change user starting role in WordPress MultiSite?
  18. Allow Author on Site A capability to upload files on Site B in Multi Site
  19. Add a user to a specific blog when they register?
  20. Add menu items/actions for multisite users who are registered on the network but do not have a role or capability in any sites
  21. Four columns in the wp_users table
  22. Subsite access without being a member of the subsite in wp multisite network
  23. Create Custom Multisite User Role to Reduce Capabilities
  24. Restrict Capability of Administrator to Create, Edit and Delete Pages in Multisite
  25. Copy user role on multisite so the user can access subsites with same role
  26. How to fix that new users show up again in subsite of a Multisite?
  27. WordPress Multisite Add User
  28. can’t create user without email for an author after converting single site to multisite
  29. Possible to have duplicate usernames on different two multisites
  30. Modify new user email notification in network admin screen wp multisite
  31. Users getting linked unwanted to main mu in WordPress multisite (WPMU)
  32. Can’t activate a user on multisite install
  33. Multisite “Skip Confirmation Email” Log Out Problem
  34. How to create child/sub user under parent user
  35. How create a multisite setup with “phantom” accounts and passwords?
  36. Is there any way to give all users access to one blog in a multisite network without using a plugin?
  37. How to give “author” user role appropriate capabilities to add PollDaddy polls? WordPress multisite
  38. Using a number for limiting registering or banning on multisite
  39. Non-super-admin users cannot access CPT even though I have explicitly added the capabilities to the user role
  40. Where are available Roles Defined in the wp_ database?
  41. User-edit role setting distinct from wp_capabilities? [closed]
  42. WordPress Multisite allow site admin to add user without email confirmation
  43. Network not displaying all sites and users
  44. Disallowing Users of a Custom Role from Deleting or Adding Administrators?
  45. What the user_status column?
  46. Add Custom User Capabilities Before or After the Custom User Role has Been Added?
  47. Give to site admin the option to “skip confirmation email” when adding new user
  48. Do not allow users to create new posts and pages
  49. Adding capabilities to super admins
  50. Get first_name and last_name on user_register hook
  51. How do I fix problems with users not being able to publish and only submit for review after upgrade of Multisites installation?
  52. Allowing logged in users to comment without moderation across a multisite installation
  53. Can you have multi-site WP and keep users separate?
  54. How to customize wp_signon()
  55. Can I use multisite functions in a single-site installation?
  56. User registration on sub site
  57. Restrict Admin Capabilities in MultiSite
  58. How can I delete a user from entire multisite nework
  59. delete_user_meta : how to delete all the metadata of a given user (witout SQL)
  60. How to search users globally on a multisite install?
  61. Within the database, where is the flag which says that a user has Super Admin rights?
  62. current_user_can() always returns true if user is super admin
  63. Getting users by specific capability, not role
  64. Query users by capability – uninstall/deactivate callback
  65. access the plugins for each role in WordPress multisite
  66. What sites are you registered to when joining a multisite?
  67. Auto creation of multisite blog on user registration
  68. Remove Capabilities from WP admin for specific user role
  69. Displaying different in-page content to cliente/admin
  70. Is the Multi site functionality a viable option for Country and Language targeting?
  71. Good way to block users within a multisite setup without deleting them?
  72. Multisite user roles – capabilities not working
  73. How can you override the is_multisite check in wp-login.php for individual login/registration?
  74. Limit number of users a role can create
  75. How can I prevent certain custom roles from seeing other custom roles on the user list page?
  76. Understanding State in WordPress Multisites
  77. User registration on two sites in same multisite
  78. How to sync roles across Multisite?
  79. What’s the correct way to add capabilites to user roles?
  80. Delete user from multisite when removed from subsite
  81. Combining user database tables while keeping all other data in seperate for multiple sites?
  82. User registration is currently not allowed
  83. Give users acces to admin a single post or set up WP network?
  84. How to make WordPress ‘editor’ role to list/view/add/edit users only with the role ‘author’?
  85. Language per user role, how can I achieve this?
  86. Automatic registration on main site upon user registration on Multisite
  87. Disabling user capability to edit_posts or delete_posts in the front-end
  88. How to allow mixed case characters in multisite site name?
  89. Multisite – each site with it’s own set of users
  90. Multisite – site user limited only for this site
  91. User / membership Plugin [closed]
  92. Importing Posts into New Website with Same User ID’s
  93. Groups roles & capabilities
  94. Activation of new Registered site fails on multisite
  95. Is Multisite the RIGHT option for my case?
  96. How to Create WPMu New User?
  97. How can I display all Multisite blogs where this user is administrator?
  98. Multisite and users being listed on network administration dashboard and not main site dashboard
  99. Want to add post to user dashboard
  100. Change a subsite Admin role of a WordPress Multisite after 24 hours registering

Leave a Comment