I’ve followed instructions found on this site and elsewhere on the internet intended to let me give certain people a registration link that will let them sign up with a specific user role.
The user role I want to give to some, but not all people, is a custom one called “unmonitored”. I have it working by adding this code to my functions.php file:
// signup stuff
add_action('register_form','show_role_field');
function show_role_field(){ ?>
<input id="role" type="hidden" tabindex="20" size="25" value= "<?php if (isset($_GET['role'])) {echo $_GET['role'];} ?>" name="role"/>
<?php
}
add_action('user_register', 'register_role');
function register_role($user_id, $password="", $meta=array()) {
$userdata = array();
$userdata['ID'] = $user_id;
$userdata['role'] = $_POST['role'];
//only allow if user role is my_role
if ($userdata['role'] == "unmonitored"){
wp_update_user($userdata);
}
}
This means that if someone registers at www.[mywebsiteurl].com/wp-login.php?action=register&role=unmonitored they are given the user role “unmonitored” – which is perfect.
But the problem is that if they mess up their registration by entering an email address that has already been taken or mis-typing their invitation code (I’m using a plugin called Easy Invitation Codes http://wordpress.org/plugins/baw-invitation-codes/) they are presented with an error on www.[mywebsiteurl].com/wp-login.php?action=register – the crucial &role=unmonitored disappears from the URL, the user completes their registration and they get assigned the default user role instead of the “unmonitored” one I need them to have.
Can anyone help me stop the error page stripping &role=unmonitored from the URL?
Happy to give any code needed, apologies if I’ve omitted any info – not yet hugely familiar with this side of WordPress.
This is an easy fix by simply using
$_REQUESTinstead of$_GETin your hidden field forregister_form. More importantly, you should be sanitizing the field before you echo it, otherwise you’re wide open to injection and CSRF: