WordPress.org

Make WordPress Core

Opened 8 months ago

Last modified 7 months ago

#25162 new defect (bug)

Users with no role can see inaccessible dashboard links

Reported by: johnbillion Owned by:
Milestone: Awaiting Review Priority: normal
Severity: minor Version: 3.0
Component: Users Keywords: needs-patch
Focuses: Cc:

Description

This only affects single site installs. Multisite works as expected thanks to the Global Dashboard.

Steps to reproduce:

  1. Edit a user on a single site install and change their role to "No role for this site"
  2. Log in as that user
  3. Note that you're immediately presented with a "You do not have sufficient permissions..." message due to the attempt to access the admin dashboard
  4. Visit the site home page and note that there are links to the admin dashboard and user profile screen in the admin toolbar that also result in a "You do not have sufficient permissions..." message

When a user with no role logs in we should:

  1. Redirect to the home page rather than the admin dashboard
  2. Not show the inaccessible links in the admin toolbar

Change History (6)

comment:1 kpdesign8 months ago

Would you still want this user to be able to see/edit their profile (no dashboard), or only access the public side of the website?

comment:2 johnbillion8 months ago

I don't think we should change the dashboard behaviour (no access for users with no role), just correct the display of inaccessible links.

Last edited 8 months ago by johnbillion (previous) (diff)

comment:3 follow-up: nacin8 months ago

No dashboard access means no ability to edit their profile, including their password.

I have never fully enjoyed that "No role for this site" and "Subscriber" are both exposed on single-site. "No role for this site" should really only be shown when a custom user table is in play. Not having a role in multisite is akin to removing the user.

comment:4 kpdesign8 months ago

On single site, the only way an admin can change a user's role to "No role for this site" is after they are already registered. New User Default Role on Settings > General starts at Subscriber.

Do we just want to work on the site redirect and fix the admin bar links/Meta widget links with this ticket? I can work on creating a patch, just want to verify the scope of this before I start.

comment:5 johnbillion7 months ago

kpdesign: Yes, I think that's what we should aim for. The redirect and the toolbar and meta widget links.

comment:6 in reply to: ↑ 3 knutsp7 months ago

Replying to nacin:

I have never fully enjoyed that "No role for this site" and "Subscriber" are both exposed on single-site. "No role for this site" should really only be shown when a custom user table is in play.

We need "No role for this site" on single site installs even if this site doesn't use custom user table. The default table of this site may be used by another site that has custom user table (and usermeta).

Note: See TracTickets for help on using tickets.