Opened 14 years ago
Closed 4 years ago
#15627 closed defect (bug) (worksforme)
wp_insert_user should not assume a default role
Reported by: | nickmomrik | Owned by: | westi |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.1 |
Component: | Users | Keywords: | close reporter-feedback |
Focuses: | Cc: |
Description
In a MS install, creating new users can add them to the main blog with the default role, resulting in hundreds, thousands, millions of users on that blog. Instead of assuming the default role, a role should be supplied by the calling function if one should be set.
Attachments (1)
Change History (16)
#1
@
14 years ago
- Keywords 3.2-early added
- Milestone changed from Awaiting Review to Future Release
- Owner set to westi
- Status changed from new to accepted
#3
@
13 years ago
- Keywords needs-patch westi-likes added; 3.2-early removed
- Priority changed from normal to low
- Severity changed from normal to minor
If this had a patch on it I would consider it for 3.2
Without a patch I am not going to prioritise working on it for now.
I think we need to review all calls to wp_insert_user in core and set the role arg to the value of get_option('default_role'))
when appropriate.
Then we can remove:
elseif ( !$update ) $user->set_role(get_option('default_role'));
From the function itself.
#4
@
13 years ago
- Cc daryl@… added
I'm not clear on the repro for this. When I add a user at the top level of network admin (ie, not from within the user area for a particular blog), the user is associated with no sites. This is evident in both the user list and in wp_usermeta, for which there is no wp_capabilities entry for the user I added. When I add a user to a particular site, he's added to that site only (and not the main blog, unless the site I'm adding him to is the main blog).
I would like to work on this but am not sure how to provoke the bug. I've tried adding users in various ways and so far have not managed to add a user to the default blog without explicitly trying to.
#5
@
12 years ago
- Keywords has-patch added; needs-patch removed
wpmu_create_user()
was deleting a user_meta key with no $wpdb->prefix
, which is dynamic to boot. My patch deletes the user_meta for capabilities with WP_User::cap_key as the key.
Before:
// Newly created users have no roles or caps until they are added to a blog. delete_user_option( $user_id, 'capabilities' ); delete_user_option( $user_id, 'user_level' );
After:
$user = new WP_User( $user_id ); // Newly created users have no roles or caps until they are added to a blog. delete_user_option( $user_id, $user->cap_key ); delete_user_option( $user_id, 'user_level' );
#8
@
11 years ago
- Milestone changed from 3.6 to 3.7
- Resolution fixed deleted
- Status changed from closed to reopened
#12
follow-up:
↓ 13
@
9 years ago
- Keywords close added; westi-likes removed
- Priority changed from low to normal
- Severity changed from minor to normal
What is left to be done here?
#13
in reply to:
↑ 12
@
9 years ago
What is left to be done here?
wp_insert_user()
still needs to be updated to not just assume a role.
#14
@
5 years ago
- Keywords needs-patch reporter-feedback added; has-patch removed
- Milestone set to Future Release
Is anyone able to reproduce the issue that was originally reported here? I have tried:
- Creating a user from the
Network > Edit Site > Users
screen. - Creating a user from the
Network > Users > Add New
screen. - Creating a user from the
Primary Site > Users > Add New
screen. - Creating a user from the
Non Primary Site > Users > Add New
screen.
I have been unable to get the created user added to the main blog at all. Not sure if this has been fixed with changes elsewhere, or if I am not taking the correct steps.
As far as I can tell, the default role will always be determined within the context of the current site when calling wp_insert_user()
.
Marking for close
consideration until someone is able to reproduce the original issue.
#15
@
4 years ago
- Keywords needs-patch removed
- Milestone Future Release deleted
- Resolution set to worksforme
- Status changed from reopened to closed
Closing this ticket as Jonathan marked it for close
candidate 15 months ago and there's been no further reports. But don't worry. If this problem persists today, please reopen and provide us with more information on the steps to reproduce the original issue.
This sounds like a partial vestige of the dashboard blog. 3.1 material?