Custom registration URL lost when user makes signup mistake

I’ve followed instructions found on this site and elsewhere on the internet intended to let me give certain people a registration link that will let them sign up with a specific user role.

The user role I want to give to some, but not all people, is a custom one called “unmonitored”. I have it working by adding this code to my functions.php file:

Read More
    // signup stuff
    add_action('register_form','show_role_field');
    function show_role_field(){ ?>
    <input id="role" type="hidden" tabindex="20" size="25" value= "<?php if (isset($_GET['role'])) {echo $_GET['role'];} ?>"  name="role"/>
    <?php
    }

    add_action('user_register', 'register_role');

    function register_role($user_id, $password="", $meta=array()) {

       $userdata = array();
       $userdata['ID'] = $user_id;
       $userdata['role'] = $_POST['role'];

       //only allow if user role is my_role

       if ($userdata['role'] == "unmonitored"){
          wp_update_user($userdata);
       }
    }

This means that if someone registers at www.[mywebsiteurl].com/wp-login.php?action=register&role=unmonitored they are given the user role “unmonitored” – which is perfect.

But the problem is that if they mess up their registration by entering an email address that has already been taken or mis-typing their invitation code (I’m using a plugin called Easy Invitation Codes http://wordpress.org/plugins/baw-invitation-codes/) they are presented with an error on www.[mywebsiteurl].com/wp-login.php?action=register – the crucial &role=unmonitored disappears from the URL, the user completes their registration and they get assigned the default user role instead of the “unmonitored” one I need them to have.

Can anyone help me stop the error page stripping &role=unmonitored from the URL?

Happy to give any code needed, apologies if I’ve omitted any info – not yet hugely familiar with this side of WordPress.

Related posts

Leave a Reply

1 comment

  1. This is an easy fix by simply using $_REQUEST instead of $_GET in your hidden field for register_form. More importantly, you should be sanitizing the field before you echo it, otherwise you’re wide open to injection and CSRF:

     <?php if ( isset( $_REQUEST['role'] ) ) echo esc_attr( $_REQUEST['role'] ) ?>