Make WordPress Core

Opened 14 years ago

Closed 4 years ago

#15627 closed defect (bug) (worksforme)

wp_insert_user should not assume a default role

Reported by: nickmomrik's profile nickmomrik Owned by: westi's profile westi
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: Users Keywords: close reporter-feedback
Focuses: Cc:

Description

In a MS install, creating new users can add them to the main blog with the default role, resulting in hundreds, thousands, millions of users on that blog. Instead of assuming the default role, a role should be supplied by the calling function if one should be set.

Attachments (1)

delete-by-cap-key.diff (1013 bytes) - added by wonderboymusic 12 years ago.

Download all attachments as: .zip

Change History (16)

#1 @westi
14 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release
  • Owner set to westi
  • Status changed from new to accepted

#2 @nacin
14 years ago

This sounds like a partial vestige of the dashboard blog. 3.1 material?

#3 @westi
13 years ago

  • Keywords needs-patch westi-likes added; 3.2-early removed
  • Priority changed from normal to low
  • Severity changed from normal to minor

If this had a patch on it I would consider it for 3.2

Without a patch I am not going to prioritise working on it for now.

I think we need to review all calls to wp_insert_user in core and set the role arg to the value of get_option('default_role')) when appropriate.

Then we can remove:

	elseif ( !$update )
		$user->set_role(get_option('default_role'));

From the function itself.

#4 @dllh
13 years ago

  • Cc daryl@… added

I'm not clear on the repro for this. When I add a user at the top level of network admin (ie, not from within the user area for a particular blog), the user is associated with no sites. This is evident in both the user list and in wp_usermeta, for which there is no wp_capabilities entry for the user I added. When I add a user to a particular site, he's added to that site only (and not the main blog, unless the site I'm adding him to is the main blog).

I would like to work on this but am not sure how to provoke the bug. I've tried adding users in various ways and so far have not managed to add a user to the default blog without explicitly trying to.

#5 @wonderboymusic
12 years ago

  • Keywords has-patch added; needs-patch removed

wpmu_create_user() was deleting a user_meta key with no $wpdb->prefix, which is dynamic to boot. My patch deletes the user_meta for capabilities with WP_User::cap_key as the key.

Before:

// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, 'capabilities' );
delete_user_option( $user_id, 'user_level' );

After:

$user = new WP_User( $user_id );
	
// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, $user->cap_key );
delete_user_option( $user_id, 'user_level' );
Last edited 12 years ago by wonderboymusic (previous) (diff)

#6 @wonderboymusic
12 years ago

  • Milestone changed from Future Release to 3.6

#7 @markjaquith
12 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 23307:

Properly wipe capabilities from new site-independent multisite users by using the right key.

props wonderboymusic. fixes #15627

#8 @nacin
11 years ago

  • Milestone changed from 3.6 to 3.7
  • Resolution fixed deleted
  • Status changed from closed to reopened

This ticket was about wp_insert_user(). wpmu_create_user() was working just fine. [23307] broke it. See #25166 for 3.6.1. Reopening for 3.7.

#9 @nacin
11 years ago

In 25183:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

props duck_.
fixes #25166 for trunk.
see #15627.

#10 @nacin
11 years ago

In 25184:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

Merges [25183] to the 3.6 branch.

props duck_.
fixes #25166.
see #15627.

#11 @nacin
11 years ago

  • Milestone changed from 3.7 to Future Release

#12 follow-up: @chriscct7
9 years ago

  • Keywords close added; westi-likes removed
  • Priority changed from low to normal
  • Severity changed from minor to normal

What is left to be done here?

#13 in reply to: ↑ 12 @swissspidy
9 years ago

What is left to be done here?

wp_insert_user() still needs to be updated to not just assume a role.

#14 @desrosj
5 years ago

  • Keywords needs-patch reporter-feedback added; has-patch removed
  • Milestone set to Future Release

Is anyone able to reproduce the issue that was originally reported here? I have tried:

  • Creating a user from the Network > Edit Site > Users screen.
  • Creating a user from the Network > Users > Add New screen.
  • Creating a user from the Primary Site > Users > Add New screen.
  • Creating a user from the Non Primary Site > Users > Add New screen.

I have been unable to get the created user added to the main blog at all. Not sure if this has been fixed with changes elsewhere, or if I am not taking the correct steps.

As far as I can tell, the default role will always be determined within the context of the current site when calling wp_insert_user().

Marking for close consideration until someone is able to reproduce the original issue.

#15 @hellofromTonya
4 years ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to worksforme
  • Status changed from reopened to closed

Closing this ticket as Jonathan marked it for close candidate 15 months ago and there's been no further reports. But don't worry. If this problem persists today, please reopen and provide us with more information on the steps to reproduce the original issue.

Note: See TracTickets for help on using tickets.