WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 months ago

#15627 closed defect (bug) (worksforme)

wp_insert_user should not assume a default role

Reported by: nickmomrik Owned by: westi
Milestone: Priority: normal
Severity: normal Version: 3.1
Component: Users Keywords: close reporter-feedback
Focuses: Cc:

Description

In a MS install, creating new users can add them to the main blog with the default role, resulting in hundreds, thousands, millions of users on that blog. Instead of assuming the default role, a role should be supplied by the calling function if one should be set.

Attachments (1)

delete-by-cap-key.diff (1013 bytes) - added by wonderboymusic 9 years ago.

Download all attachments as: .zip

Change History (16)

#1 @westi
11 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release
  • Owner set to westi
  • Status changed from new to accepted

#2 @nacin
11 years ago

This sounds like a partial vestige of the dashboard blog. 3.1 material?

#3 @westi
11 years ago

  • Keywords needs-patch westi-likes added; 3.2-early removed
  • Priority changed from normal to low
  • Severity changed from normal to minor

If this had a patch on it I would consider it for 3.2

Without a patch I am not going to prioritise working on it for now.

I think we need to review all calls to wp_insert_user in core and set the role arg to the value of get_option('default_role')) when appropriate.

Then we can remove:

	elseif ( !$update )
		$user->set_role(get_option('default_role'));

From the function itself.

#4 @dllh
10 years ago

  • Cc daryl@… added

I'm not clear on the repro for this. When I add a user at the top level of network admin (ie, not from within the user area for a particular blog), the user is associated with no sites. This is evident in both the user list and in wp_usermeta, for which there is no wp_capabilities entry for the user I added. When I add a user to a particular site, he's added to that site only (and not the main blog, unless the site I'm adding him to is the main blog).

I would like to work on this but am not sure how to provoke the bug. I've tried adding users in various ways and so far have not managed to add a user to the default blog without explicitly trying to.

#5 @wonderboymusic
9 years ago

  • Keywords has-patch added; needs-patch removed

wpmu_create_user() was deleting a user_meta key with no $wpdb->prefix, which is dynamic to boot. My patch deletes the user_meta for capabilities with WP_User::cap_key as the key.

Before:

// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, 'capabilities' );
delete_user_option( $user_id, 'user_level' );

After:

$user = new WP_User( $user_id );
	
// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, $user->cap_key );
delete_user_option( $user_id, 'user_level' );
Last edited 9 years ago by wonderboymusic (previous) (diff)

#6 @wonderboymusic
9 years ago

  • Milestone changed from Future Release to 3.6

#7 @markjaquith
9 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 23307:

Properly wipe capabilities from new site-independent multisite users by using the right key.

props wonderboymusic. fixes #15627

#8 @nacin
8 years ago

  • Milestone changed from 3.6 to 3.7
  • Resolution fixed deleted
  • Status changed from closed to reopened

This ticket was about wp_insert_user(). wpmu_create_user() was working just fine. [23307] broke it. See #25166 for 3.6.1. Reopening for 3.7.

#9 @nacin
8 years ago

In 25183:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

props duck_.
fixes #25166 for trunk.
see #15627.

#10 @nacin
8 years ago

In 25184:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

Merges [25183] to the 3.6 branch.

props duck_.
fixes #25166.
see #15627.

#11 @nacin
8 years ago

  • Milestone changed from 3.7 to Future Release

#12 follow-up: @chriscct7
6 years ago

  • Keywords close added; westi-likes removed
  • Priority changed from low to normal
  • Severity changed from minor to normal

What is left to be done here?

#13 in reply to: ↑ 12 @swissspidy
6 years ago

What is left to be done here?

wp_insert_user() still needs to be updated to not just assume a role.

#14 @desrosj
2 years ago

  • Keywords needs-patch reporter-feedback added; has-patch removed
  • Milestone set to Future Release

Is anyone able to reproduce the issue that was originally reported here? I have tried:

  • Creating a user from the Network > Edit Site > Users screen.
  • Creating a user from the Network > Users > Add New screen.
  • Creating a user from the Primary Site > Users > Add New screen.
  • Creating a user from the Non Primary Site > Users > Add New screen.

I have been unable to get the created user added to the main blog at all. Not sure if this has been fixed with changes elsewhere, or if I am not taking the correct steps.

As far as I can tell, the default role will always be determined within the context of the current site when calling wp_insert_user().

Marking for close consideration until someone is able to reproduce the original issue.

#15 @hellofromTonya
11 months ago

  • Keywords needs-patch removed
  • Milestone Future Release deleted
  • Resolution set to worksforme
  • Status changed from reopened to closed

Closing this ticket as Jonathan marked it for close candidate 15 months ago and there's been no further reports. But don't worry. If this problem persists today, please reopen and provide us with more information on the steps to reproduce the original issue.

Note: See TracTickets for help on using tickets.