Inaccurate user role filtering

[johnbillion]

When filtering users by role from the Users screen, the SQL query that filters users by role can return inaccurate results if a plugin has added custom user capabilities.

For example, when filtering users with a role of Editor, the query joins the usermeta table and adds this WHERE clause:

WHERE wp_usermeta.meta_key = 'wp_capabilities'
AND wp_usermeta.meta_value LIKE '%editor%'

If a plugin has added a new user capability such as 'manage_editors' then any user with this capability will show up in this list, regardless of their role, because their capabilities will contain the string 'manage_editors' which is matched by the query. The LIKE '%editor%' bit is the problem.

This is simple to fix. We'll just add double quotes around the role name in the query, and this will force it to match just the role name (which is stored in the database as a serialzed string, and is therefore wrapped in double quotes).

Patch.

Be nice if this could make it into 3.0 as it's causing confusion on one of my sites at the moment.

I want to say we may do this elsewhere, but I'm not sure.

Until we kill serialization in #10201, this seems like a decent fix.

This code is now in the deprecated WP_User_Search. I can't find equivalent code in WP_User_Query.

(In [16048]) More precise role querying. Props johnbillion for initial patch. Fixes #12693

Not in all locations, it appears. See count_users().

Refreshed patch by 082net on #16556

Should probably go in WP 3.1, to avoid inconsistencies between user searching and user counting.

Per bug scrub, punting to 3.2.

I'm running into this issue with the count_users() function. According to #16556 it was fixed in this ticket but appears to be waiting for a future version. What's needed to get this incorporated into 3.3.x or 3.4?

In [19735]:

Match the exact role name when counting users in a role. Props 082net. fixes #12693