Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#28493 closed defect (bug) (invalid)

Multi site: User can still log into network after being removed from a site

Reported by: jpyper's profile Jpyper Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.5.2
Component: Users Keywords:
Focuses: administration, multisite Cc:


Encountered on a 3.5.2 install, tested and confirmed still a problem in 3.9.1.

I count this a bug because once removed from all sites on a network, a user should definitely not be able to log in again for any reason with the same credentials.

The real issue here is deleting a user from an individual site does not remove it from the network even when they are not registered to any other sites.

I'm happy to make a patch for this but I'd like some input on the best way to go about it.

-Multisite network
-Delete single user from single site, user is not registered on any other site.
-User uses login info associated with deleted user and gains access but is only allowed to view the dashboard and edit their profile info.
-User is not removed from wp_users and wp_usermeta still has rows using this user ID.

Expected: If user is not registered on other blogs, they should be removed completely from the network when removed from the single site they are registered on.

My thought is to make an addition to remove_user_from_blog in wp-includes/ms-functions.php (called by remove_user_from_blog in wp-admin/includes/ms.php) where it does

$blogs = get_blogs_of_user($user_id);
if ( count($blogs) == 0 ) {
	update_user_meta($user_id, 'primary_blog', '');
	update_user_meta($user_id, 'source_domain', '');

Could do

$wpdb->delete( $wpdb->users, array( 'ID' => $user_id ) );
$wpdb->delete( $wpdb->usermeta, array( 'ID' => $user_id ) );

similar to wp_delete_user (wp-admin/includes/user.php)

It's worth noting that just above wpmu_delete_user is

// @todo Merge with wp_delete_user() ?

So maybe it's time for that, but I would like to at least get in having the user removed from the network upon removal of the last blog they are registered to.

If the best thing I could do right now for feedback purposes is submit a patch with my idea of what would fix it, then I can just do that.

Change History (3)

#1 @DrewAPicture
10 years ago

  • Keywords close added

Hi Jpyper,

Thank you for the report :-)

However, this is actually expected behavior, i.e. a feature, not a bug. It's important to note the difference in terminology between "removing" and "deleting" a user. You remove a user from a site and delete a user from the network. If you want to delete a user from the network, that should be done from the Network Admin > Users screen.

The case where a user belongs to no sites but still belongs to the network is actually where the User Admin comes in (/wp-admin/user/). It's not an oft-visited section of the WordPress back-end, though I seem to recall that it's leveraged by, for example.

Suggest close.

#2 follow-up: @Jpyper
10 years ago

Alrighty, thanks for letting me know. I'll look into using the hooks available to get the behavior I'd like for my own network. That's what they're there for!

Thanks again, closing is fine. Do I do that?

#3 in reply to: ↑ 2 @DrewAPicture
10 years ago

  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

Replying to Jpyper:

Thanks again, closing is fine. Do I do that?

Nope, I'll take care of it :-)

Note: See TracTickets for help on using tickets.