Multisite author dropdown on post admin page lists ALL editable users
|Reported by:||rebootnow||Owned by:|
The author selection box is created in the function post_author_meta_box(). The following line gets the authors to populate the list:
$authors = get_editable_user_ids( get_current_user_id(), true, $post->post_type ); TODO: ROLE SYSTEM
For a multisite install this returns EVERY user who has a role on the blog AND is editable by the current logged in user. For the admin, that is everyone who has a role.
It does this because the query in get_editable_user_ids() only checks that the user has a wp_N_capabilities entry in the wp_usermeta table.
The query is built using:
$query = $wpdb->prepare("SELECT user_id FROM $wpdb->usermeta WHERE meta_key = %s", $level_key);
$query .= " AND meta_value != '0'";
For multisite the second part adds " AND wp_N_capabilities != 0" to the query, which has no effect. Looks like a bug that was introduced during the WP/WPMU merge.
Is the comment on line 262 of "wp-admin/includes/user.php" still valid: " wpmu site admins don't have user_levels"
I ask because in my multisite installs the admins do have user_levels and a simple fix to this in the short term is just to remove the conditional on is_multisite() in line 259 and query for "user_level" as the level key in all cases.
I understand that user levels are deprecated, but until a complete role system is in place this fix will make a big difference to admins of multisite installs with many users and few authors.