Inaccurate user role filtering
|Reported by:||johnbillion||Owned by:||ryan|
When filtering users by role from the Users screen, the SQL query that filters users by role can return inaccurate results if a plugin has added custom user capabilities.
For example, when filtering users with a role of Editor, the query joins the usermeta table and adds this WHERE clause:
WHERE wp_usermeta.meta_key = 'wp_capabilities' AND wp_usermeta.meta_value LIKE '%editor%'
If a plugin has added a new user capability such as 'manage_editors' then any user with this capability will show up in this list, regardless of their role, because their capabilities will contain the string 'manage_editors' which is matched by the query. The LIKE '%editor%' bit is the problem.
This is simple to fix. We'll just add double quotes around the role name in the query, and this will force it to match just the role name (which is stored in the database as a serialzed string, and is therefore wrapped in double quotes).
Change History (16)
- Component changed from Users to Role/Capability
- Milestone changed from 3.0 to 3.1
- Keywords needs-patch added; has-patch commit removed
- Milestone changed from 3.1 to Future Release
- Keywords has-patch added; needs-patch removed
- Milestone changed from Future Release to 3.1