Opened 11 years ago
Closed 11 years ago
#28493 closed defect (bug) (invalid)
Multi site: User can still log into network after being removed from a site
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.5.2 |
| Component: | Users | Keywords: | |
| Focuses: | administration, multisite | Cc: |
Description
Encountered on a 3.5.2 install, tested and confirmed still a problem in 3.9.1.
I count this a bug because once removed from all sites on a network, a user should definitely not be able to log in again for any reason with the same credentials.
The real issue here is deleting a user from an individual site does not remove it from the network even when they are not registered to any other sites.
I'm happy to make a patch for this but I'd like some input on the best way to go about it.
Case:
-Multisite network
-Delete single user from single site, user is not registered on any other site.
-User uses login info associated with deleted user and gains access but is only allowed to view the dashboard and edit their profile info.
-User is not removed from wp_users and wp_usermeta still has rows using this user ID.
Expected: If user is not registered on other blogs, they should be removed completely from the network when removed from the single site they are registered on.
My thought is to make an addition to remove_user_from_blog in wp-includes/ms-functions.php (called by remove_user_from_blog in wp-admin/includes/ms.php) where it does
$blogs = get_blogs_of_user($user_id);
if ( count($blogs) == 0 ) {
update_user_meta($user_id, 'primary_blog', '');
update_user_meta($user_id, 'source_domain', '');
}
Could do
$wpdb->delete( $wpdb->users, array( 'ID' => $user_id ) ); $wpdb->delete( $wpdb->usermeta, array( 'ID' => $user_id ) );
similar to wp_delete_user (wp-admin/includes/user.php)
It's worth noting that just above wpmu_delete_user is
// @todo Merge with wp_delete_user() ?
So maybe it's time for that, but I would like to at least get in having the user removed from the network upon removal of the last blog they are registered to.
If the best thing I could do right now for feedback purposes is submit a patch with my idea of what would fix it, then I can just do that.
Hi Jpyper,
Thank you for the report :-)
However, this is actually expected behavior, i.e. a feature, not a bug. It's important to note the difference in terminology between "removing" and "deleting" a user. You remove a user from a site and delete a user from the network. If you want to delete a user from the network, that should be done from the Network Admin > Users screen.
The case where a user belongs to no sites but still belongs to the network is actually where the User Admin comes in (
/wp-admin/user/). It's not an oft-visited section of the WordPress back-end, though I seem to recall that it's leveraged by WordPress.com, for example.Suggest close.