Make WordPress Core

Opened 15 years ago

Closed 13 years ago

#12693 closed defect (bug) (fixed)

Inaccurate user role filtering

Reported by: johnbillion's profile johnbillion Owned by: ryan's profile ryan
Milestone: 3.4 Priority: normal
Severity: minor Version: 2.9.2
Component: Role/Capability Keywords: has-patch 3.2-early
Focuses: Cc:

Description

When filtering users by role from the Users screen, the SQL query that filters users by role can return inaccurate results if a plugin has added custom user capabilities.

For example, when filtering users with a role of Editor, the query joins the usermeta table and adds this WHERE clause:

WHERE wp_usermeta.meta_key = 'wp_capabilities'
AND wp_usermeta.meta_value LIKE '%editor%'

If a plugin has added a new user capability such as 'manage_editors' then any user with this capability will show up in this list, regardless of their role, because their capabilities will contain the string 'manage_editors' which is matched by the query. The LIKE '%editor%' bit is the problem.

This is simple to fix. We'll just add double quotes around the role name in the query, and this will force it to match just the role name (which is stored in the database as a serialzed string, and is therefore wrapped in double quotes).

Attachments (2)

12693.patch (874 bytes) - added by johnbillion 15 years ago.
12693.diff (613 bytes) - added by scribu 14 years ago.
Refreshed patch by 082net on #16556

Download all attachments as: .zip

Change History (16)

@johnbillion
15 years ago

#1 @johnbillion
15 years ago

  • Keywords has-patch added

Patch.

Be nice if this could make it into 3.0 as it's causing confusion on one of my sites at the moment.

#2 @nacin
15 years ago

  • Milestone changed from Unassigned to 3.0

I want to say we may do this elsewhere, but I'm not sure.

#3 @nacin
15 years ago

  • Component changed from Users to Role/Capability
  • Milestone changed from 3.0 to 3.1

#4 @nacin
14 years ago

  • Keywords commit added
  • Milestone changed from Awaiting Triage to 3.1

Until we kill serialization in #10201, this seems like a decent fix.

#5 @nacin
14 years ago

  • Cc scribu@… added

This code is now in the deprecated WP_User_Search. I can't find equivalent code in WP_User_Query.

#6 @scribu
14 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [16048]) More precise role querying. Props johnbillion for initial patch. Fixes #12693

#7 @nacin
14 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Not in all locations, it appears. See count_users().

#8 @scribu
14 years ago

  • Keywords needs-patch added; has-patch commit removed
  • Milestone changed from 3.1 to Future Release

@scribu
14 years ago

Refreshed patch by 082net on #16556

#9 @scribu
14 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 3.1

Should probably go in WP 3.1, to avoid inconsistencies between user searching and user counting.

#10 @ryan
14 years ago

  • Keywords 3.2-early added
  • Milestone changed from 3.1 to Future Release

Per bug scrub, punting to 3.2.

#11 @deltafactory
13 years ago

I'm running into this issue with the count_users() function. According to #16556 it was fixed in this ticket but appears to be waiting for a future version. What's needed to get this incorporated into 3.3.x or 3.4?

#12 @knutsp
13 years ago

  • Cc knut@… added

#13 @ryan
13 years ago

  • Milestone changed from Future Release to 3.4

#14 @ryan
13 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from reopened to closed

In [19735]:

Match the exact role name when counting users in a role. Props 082net. fixes #12693

Note: See TracTickets for help on using tickets.