Multisite author dropdown on post admin page lists ALL editable users

[rebootnow]

The author selection box is created in the function post_author_meta_box(). The following line gets the authors to populate the list:

$authors = get_editable_user_ids( get_current_user_id(), true, $post->post_type ); TODO: ROLE SYSTEM

For a multisite install this returns EVERY user who has a role on the blog AND is editable by the current logged in user. For the admin, that is everyone who has a role.

It does this because the query in get_editable_user_ids() only checks that the user has a wp_N_capabilities entry in the wp_usermeta table.

The query is built using:

$query = $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s", $level_key);

and...

$query .= " AND meta_value != '0'";

For multisite the second part adds " AND wp_N_capabilities != 0" to the query, which has no effect. Looks like a bug that was introduced during the WP/WPMU merge.

Is the comment on line 262 of "wp-admin/includes/user.php" still valid: " wpmu site admins don't have user_levels"

I ask because in my multisite installs the admins do have user_levels and a simple fix to this in the short term is just to remove the conditional on is_multisite() in line 259 and query for "user_level" as the level key in all cases.

I understand that user levels are deprecated, but until a complete role system is in place this fix will make a big difference to admins of multisite installs with many users and few authors.

[scribu]

That code has been updated recently. See #14572

Re-open this ticket if you are able to reproduce the problem with the latest revision.