WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 6 months ago

#15627 reopened defect (bug)

wp_insert_user should not assume a default role

Reported by: nickmomrik Owned by: westi
Milestone: Future Release Priority: low
Severity: minor Version: 3.1
Component: Users Keywords: westi-likes has-patch
Focuses: Cc:

Description

In a MS install, creating new users can add them to the main blog with the default role, resulting in hundreds, thousands, millions of users on that blog. Instead of assuming the default role, a role should be supplied by the calling function if one should be set.

Attachments (1)

delete-by-cap-key.diff (1013 bytes) - added by wonderboymusic 19 months ago.

Download all attachments as: .zip

Change History (12)

comment:1 westi3 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release
  • Owner set to westi
  • Status changed from new to accepted

comment:2 nacin3 years ago

This sounds like a partial vestige of the dashboard blog. 3.1 material?

comment:3 westi3 years ago

  • Keywords needs-patch westi-likes added; 3.2-early removed
  • Priority changed from normal to low
  • Severity changed from normal to minor

If this had a patch on it I would consider it for 3.2

Without a patch I am not going to prioritise working on it for now.

I think we need to review all calls to wp_insert_user in core and set the role arg to the value of get_option('default_role')) when appropriate.

Then we can remove:

	elseif ( !$update )
		$user->set_role(get_option('default_role'));

From the function itself.

comment:4 dllh3 years ago

  • Cc daryl@… added

I'm not clear on the repro for this. When I add a user at the top level of network admin (ie, not from within the user area for a particular blog), the user is associated with no sites. This is evident in both the user list and in wp_usermeta, for which there is no wp_capabilities entry for the user I added. When I add a user to a particular site, he's added to that site only (and not the main blog, unless the site I'm adding him to is the main blog).

I would like to work on this but am not sure how to provoke the bug. I've tried adding users in various ways and so far have not managed to add a user to the default blog without explicitly trying to.

comment:5 wonderboymusic19 months ago

  • Keywords has-patch added; needs-patch removed

wpmu_create_user() was deleting a user_meta key with no $wpdb->prefix, which is dynamic to boot. My patch deletes the user_meta for capabilities with WP_User::cap_key as the key.

Before:

// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, 'capabilities' );
delete_user_option( $user_id, 'user_level' );

After:

$user = new WP_User( $user_id );
	
// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, $user->cap_key );
delete_user_option( $user_id, 'user_level' );
Last edited 19 months ago by wonderboymusic (previous) (diff)

comment:6 wonderboymusic16 months ago

  • Milestone changed from Future Release to 3.6

comment:7 markjaquith15 months ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 23307:

Properly wipe capabilities from new site-independent multisite users by using the right key.

props wonderboymusic. fixes #15627

comment:8 nacin8 months ago

  • Milestone changed from 3.6 to 3.7
  • Resolution fixed deleted
  • Status changed from closed to reopened

This ticket was about wp_insert_user(). wpmu_create_user() was working just fine. [23307] broke it. See #25166 for 3.6.1. Reopening for 3.7.

comment:9 nacin8 months ago

In 25183:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

props duck_.
fixes #25166 for trunk.
see #15627.

comment:10 nacin8 months ago

In 25184:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

Merges [25183] to the 3.6 branch.

props duck_.
fixes #25166.
see #15627.

comment:11 nacin6 months ago

  • Milestone changed from 3.7 to Future Release
Note: See TracTickets for help on using tickets.