WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 8 years ago

#12693 closed defect (bug) (fixed)

Inaccurate user role filtering

Reported by: johnbillion Owned by: ryan
Milestone: 3.4 Priority: normal
Severity: minor Version: 2.9.2
Component: Role/Capability Keywords: has-patch 3.2-early
Focuses: Cc:
PR Number:

Description

When filtering users by role from the Users screen, the SQL query that filters users by role can return inaccurate results if a plugin has added custom user capabilities.

For example, when filtering users with a role of Editor, the query joins the usermeta table and adds this WHERE clause:

WHERE wp_usermeta.meta_key = 'wp_capabilities'
AND wp_usermeta.meta_value LIKE '%editor%'

If a plugin has added a new user capability such as 'manage_editors' then any user with this capability will show up in this list, regardless of their role, because their capabilities will contain the string 'manage_editors' which is matched by the query. The LIKE '%editor%' bit is the problem.

This is simple to fix. We'll just add double quotes around the role name in the query, and this will force it to match just the role name (which is stored in the database as a serialzed string, and is therefore wrapped in double quotes).

Attachments (2)

12693.patch (874 bytes) - added by johnbillion 10 years ago.
12693.diff (613 bytes) - added by scribu 9 years ago.
Refreshed patch by 082net on #16556

Download all attachments as: .zip

Change History (16)

@johnbillion
10 years ago

#1 @johnbillion
10 years ago

  • Keywords has-patch added

Patch.

Be nice if this could make it into 3.0 as it's causing confusion on one of my sites at the moment.

#2 @nacin
10 years ago

  • Milestone changed from Unassigned to 3.0

I want to say we may do this elsewhere, but I'm not sure.

#3 @nacin
9 years ago

  • Component changed from Users to Role/Capability
  • Milestone changed from 3.0 to 3.1

#4 @nacin
9 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Triage to 3.1

Until we kill serialization in #10201, this seems like a decent fix.

#5 @nacin
9 years ago

  • Cc scribu@… added

This code is now in the deprecated WP_User_Search. I can't find equivalent code in WP_User_Query.

#6 @scribu
9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16048]) More precise role querying. Props johnbillion for initial patch. Fixes #12693

#7 @nacin
9 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Not in all locations, it appears. See count_users().

#8 @scribu
9 years ago

  • Keywords needs-patch added; has-patch commit removed
  • Milestone changed from 3.1 to Future Release

@scribu
9 years ago

Refreshed patch by 082net on #16556

#9 @scribu
9 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 3.1

Should probably go in WP 3.1, to avoid inconsistencies between user searching and user counting.

#10 @ryan
9 years ago

  • Keywords 3.2-early added
  • Milestone changed from 3.1 to Future Release

Per bug scrub, punting to 3.2.

#11 @deltafactory
8 years ago

I'm running into this issue with the count_users() function. According to #16556 it was fixed in this ticket but appears to be waiting for a future version. What's needed to get this incorporated into 3.3.x or 3.4?

#12 @knutsp
8 years ago

  • Cc knut@… added

#13 @ryan
8 years ago

  • Milestone changed from Future Release to 3.4

#14 @ryan
8 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from reopened to closed

In [19735]:

Match the exact role name when counting users in a role. Props 082net. fixes #12693

Note: See TracTickets for help on using tickets.