From 3c2979ec2ac84329a0d0a25cbc9deb34417e92c1 Mon Sep 17 00:00:00 2001
From: Hug0-Drelon <hugo.drelon@gmail.com>
Date: Thu, 22 May 2025 15:39:14 +0200
Subject: [PATCH] Die early when current user set no roles to itself.

---
 src/wp-admin/users.php | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/wp-admin/users.php b/src/wp-admin/users.php
index 6e10c2b8311f7..ea5b54e7c82c9 100644
--- a/src/wp-admin/users.php
+++ b/src/wp-admin/users.php
@@ -143,13 +143,18 @@
 				wp_die( __( 'Sorry, you are not allowed to edit this user.' ), 403 );
 			}
 
-			// The new role of the current user must also have the promote_users cap or be a multisite super admin.
-			if ( $id === $current_user->ID
-				&& ! $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' )
-				&& ! ( is_multisite() && current_user_can( 'manage_network_users' ) )
-			) {
-					$update = 'err_admin_role';
+			// The new role of the current user must also have the promote_users cap, be a multisite super admin and not be empty.
+			if ( $id === $current_user->ID ) {
+				if ( '' === $role ) {
+					wp_die( __( 'Sorry, you cannot remove your own role.' ), 403 );
+				}
+
+				if ( $wp_roles->role_objects[ $role ]->has_cap( 'promote_users' ) || ( is_multisite() && current_user_can( 'manage_network_users' ) ) ) {
 					continue;
+				}
+
+				$update = 'err_admin_role';
+				continue;
 			}
 
 			// If the user doesn't already belong to the blog, bail.