WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 5 months ago

#15627 reopened defect (bug)

wp_insert_user should not assume a default role

Reported by: nickmomrik Owned by: westi
Milestone: Future Release Priority: normal
Severity: normal Version: 3.1
Component: Users Keywords: has-patch close
Focuses: Cc:

Description

In a MS install, creating new users can add them to the main blog with the default role, resulting in hundreds, thousands, millions of users on that blog. Instead of assuming the default role, a role should be supplied by the calling function if one should be set.

Attachments (1)

delete-by-cap-key.diff (1013 bytes) - added by wonderboymusic 4 years ago.

Download all attachments as: .zip

Change History (14)

#1 @westi
5 years ago

  • Keywords 3.2-early added
  • Milestone changed from Awaiting Review to Future Release
  • Owner set to westi
  • Status changed from new to accepted

#2 @nacin
5 years ago

This sounds like a partial vestige of the dashboard blog. 3.1 material?

#3 @westi
5 years ago

  • Keywords needs-patch westi-likes added; 3.2-early removed
  • Priority changed from normal to low
  • Severity changed from normal to minor

If this had a patch on it I would consider it for 3.2

Without a patch I am not going to prioritise working on it for now.

I think we need to review all calls to wp_insert_user in core and set the role arg to the value of get_option('default_role')) when appropriate.

Then we can remove:

	elseif ( !$update )
		$user->set_role(get_option('default_role'));

From the function itself.

#4 @dllh
5 years ago

  • Cc daryl@… added

I'm not clear on the repro for this. When I add a user at the top level of network admin (ie, not from within the user area for a particular blog), the user is associated with no sites. This is evident in both the user list and in wp_usermeta, for which there is no wp_capabilities entry for the user I added. When I add a user to a particular site, he's added to that site only (and not the main blog, unless the site I'm adding him to is the main blog).

I would like to work on this but am not sure how to provoke the bug. I've tried adding users in various ways and so far have not managed to add a user to the default blog without explicitly trying to.

#5 @wonderboymusic
4 years ago

  • Keywords has-patch added; needs-patch removed

wpmu_create_user() was deleting a user_meta key with no $wpdb->prefix, which is dynamic to boot. My patch deletes the user_meta for capabilities with WP_User::cap_key as the key.

Before:

// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, 'capabilities' );
delete_user_option( $user_id, 'user_level' );

After:

$user = new WP_User( $user_id );
	
// Newly created users have no roles or caps until they are added to a blog.
delete_user_option( $user_id, $user->cap_key );
delete_user_option( $user_id, 'user_level' );
Last edited 4 years ago by wonderboymusic (previous) (diff)

#6 @wonderboymusic
3 years ago

  • Milestone changed from Future Release to 3.6

#7 @markjaquith
3 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 23307:

Properly wipe capabilities from new site-independent multisite users by using the right key.

props wonderboymusic. fixes #15627

#8 @nacin
3 years ago

  • Milestone changed from 3.6 to 3.7
  • Resolution fixed deleted
  • Status changed from closed to reopened

This ticket was about wp_insert_user(). wpmu_create_user() was working just fine. [23307] broke it. See #25166 for 3.6.1. Reopening for 3.7.

#9 @nacin
3 years ago

In 25183:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

props duck_.
fixes #25166 for trunk.
see #15627.

#10 @nacin
3 years ago

In 25184:

Revert [23307] so new users in multisite are not automatically subscribers on the main site.

Merges [25183] to the 3.6 branch.

props duck_.
fixes #25166.
see #15627.

#11 @nacin
3 years ago

  • Milestone changed from 3.7 to Future Release

#12 follow-up: @chriscct7
7 months ago

  • Keywords close added; westi-likes removed
  • Priority changed from low to normal
  • Severity changed from minor to normal

What is left to be done here?

#13 in reply to: ↑ 12 @swissspidy
5 months ago

What is left to be done here?

wp_insert_user() still needs to be updated to not just assume a role.

Note: See TracTickets for help on using tickets.