WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 years ago

#36196 closed defect (bug) (fixed)

Users without a role are not being displayed

Reported by: tobi823 Owned by: johnbillion
Milestone: 4.9 Priority: normal
Severity: normal Version: 4.4
Component: Users Keywords: has-patch has-unit-tests
Focuses: multisite Cc:

Description

Users without a role are not displayed on the site user page. (in my case http://localhost/wordpress1/wordpress/wp-admin/users.php). But the invisible user are still being counted (e.g. i should have '4 items' although no user is visible).
But on the network user page the users are visible. (in my case http://localhost/wordpress1/wordpress/wp-admin/network/users.php).

I can reproduce this bug with PHP code:

$wpUser = get_user_by('id', 35);
$wpUser->set_role('');

and with this SQL-Query:
DELETE FROM wordpress1.wp_usermeta WHERE user_id='35' AND meta_key='wp_capabilities';

My only workaround is to use a non existing role:

$wpUser = get_user_by('id', 35);
$wpUser->set_role('anonymous');

The strange thing is that this bug only exists on multi site installations. Normal single site installations work fine.

Attachments (7)

users.jpg (343.7 KB) - added by tobi823 3 years ago.
user.png (184.0 KB) - added by tobi823 3 years ago.
The user testuser31098 with no role in 'unterseite3'.
unterseite3_users.png (106.9 KB) - added by tobi823 3 years ago.
The user 'testuser31098' is not visible in the site 'unterseite3'.
36196.diff (2.0 KB) - added by flixos90 3 years ago.
show users with no role
36196.2.diff (3.3 KB) - added by flixos90 3 years ago.
fix table views to include "None"
36196.3.diff (3.3 KB) - added by scottlee 3 years ago.
Refreshed patch.
36196.4.diff (5.7 KB) - added by johnbillion 2 years ago.

Download all attachments as: .zip

Change History (26)

@tobi823
3 years ago

#1 @johnbillion
3 years ago

  • Focuses multisite added; ui removed
  • Keywords reporter-feedback added

Hi @tobi823, thanks for the report.

This looks like expected behaviour. A user with no role on a site in multisite does not belong to that site, therefore their user account does not show up in the site admin. They still, as you've reported, show up in the network admin.

You can test this by logging in as the user in question and visiting the Dashboard -> My Sites screen in the admin area. The site in question won't be listed, because the user has no role on that site and therefore does not belong to that site.

Can you take a look and confirm if that's the case please?

#2 @tobi823
3 years ago

Thank you for your fast responde @johnbillion,

I have removed the roles of my user testuser31098 (ID 34) by accessing my site 'unterseite3' with the ID 4 and execute this PHP script.

add_action('wp_after_admin_bar_render', 'aaaaa');
function aaaaa() {

        /* @var WP_User $wpUser */
        $wpUser = get_user_by('id', 34);
        if (get_current_blog_id() === 4) {
                $wpUser->set_role('');
                echo 'delete roles of user 34';
                var_dump($wpUser);
        }
}

The user is still invisible in the site 'unterseite3' and visible in the network user manager. But the user testuser31098 thinks that he belongs to 'unterseite3' although he has no role in 'unterseite3'.

@tobi823
3 years ago

The user testuser31098 with no role in 'unterseite3'.

@tobi823
3 years ago

The user 'testuser31098' is not visible in the site 'unterseite3'.

#3 follow-up: @johnbillion
3 years ago

  • Keywords needs-patch added; reporter-feedback removed
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 4.4.2 to 4.4

Thanks for the extra information, @tobi823. I can confirm that I've reproduced the issue.

I think that in this situation, the user's wp_x_capabilities usermeta entry should be removed, so they're no longer a member of the site, but I'll need to look into it a bit more.

Last edited 3 years ago by johnbillion (previous) (diff)

This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.


3 years ago

#5 in reply to: ↑ 3 ; follow-up: @flixos90
3 years ago

Replying to johnbillion:

I think that in this situation, the user's wp_x_capabilities usermeta entry should be removed, so they're no longer a member of the site, but I'll need to look into it a bit more.

I think there is a difference between a user not being active for a site at all vs. a user not having any capabilities for a site. The user tables support showing "None" if a user has no role which leads me to the conclusion that this is expected behavior. So I think the original cause of this ticket is still valid.

@flixos90
3 years ago

show users with no role

#6 @flixos90
3 years ago

  • Keywords has-patch needs-unit-tests added; needs-patch removed

36196.diff is a fix to this problem by making wp_get_users_with_no_role() (introduced in 34965) multisite-compatible and removing a conditional which would previously skip users with no role (I'm not sure why that was there at all).

This fixes the issue for both the "Users" table on a single site and the "Site Users" table in the network admin.

@flixos90
3 years ago

fix table views to include "None"

#7 @flixos90
3 years ago

36196.2.diff improves the previous patch by also fixing the table views. They now include "None" properly if available. This was fixed by making count_users() multisite-compatible by adding an additional $site_id parameter and removing a clause that would automatically set the count for users with no role to 0.

#8 @jeremyfelt
3 years ago

#37325 was marked as a duplicate.

#9 @johnjamesjacoby
3 years ago

This happens in single-site also.

  • Log in as an admin
  • Create a user
  • Delete that user's role & caps usermeta entries via your favorite MySQL editing tool, or delete_user_meta()
  • Visit wp-admin/users.php
  • Now you have an invisible user

This has a few (mostly experiential) consequences:

  • The new user is completely hidden, even from admins
  • Admins are unaware that there is a rogue user in the database
  • Admins cannot give this user a role using the UI
  • That new user has no read cap, so they can login, but get redirected to a wp_die() page

That said, this user is in a broken state, and there are only so many ways that WordPress can (or should) compensate for malformed or missing data. What if a post object has no post_status? How did that happen? What should happen now?

I do believe that when it comes to user accounts, users without roles (on any sites) are a special case. In multisite, they have the "User Dashboard" as a fallback, and they are always visible via the "Network Dashboard" users.php page. I'd like to see parity in single-site.

  • Turn /wp-admin/user/ into a first-class citizen. Enable it for single-site, and redirect /wp-admin/profile.php to it.
  • On single-site, provide an additional "status" for users without any role entries in usermeta.
  • On multi-site, provide an additional "status" for users with empty role entries in usermeta.

I'd also vote to remove the multisite focus from this ticket. I think this is more of an improvement to how users and their roles are communicated through the UI, than it is specific to a multisite configuration.

#10 @scottlee
3 years ago

Hey hey, @flixos90, thanks for the patch. I've refreshed it for ya since it wasn't applying cleanly. I also ran the tests to ensure the changes passed.

I agree with most of the conversation that's happening here. Such as, should we remove the wp_X_capabilities and wp_X_user_level entires when a user is set to "no role" on a site (single or multi).

However, I think it'd delay resolving the issue here. That being when a site contains user(s) that are set to "no role" the user count vs. whats displayed, is misleading. ie. not showing.

https://www.dropbox.com/s/mbks7kykwgqadli/Users%2B%25E2%2580%25B9%2BSite%253A%2BTwo%2B%25E2%2580%2594%2BWordPress%2B2016-10-13%2B16-24-00.png

If we apply this fix, not only do resolving the differences between the users count vs. what the user sees, we also enable an Administrator to restore an essentially orphaned user to a site. Something that is not currently possible.

https://www.dropbox.com/s/xddmxms93itkbia/Users%2B%25E2%2580%25B9%2BWordPress%2BDevelop%2B%25E2%2580%2594%2BWordPress%2B2016-10-14%2B15-28-05.png

Last edited 3 years ago by scottlee (previous) (diff)

@scottlee
3 years ago

Refreshed patch.

This ticket was mentioned in Slack in #core-multisite by helen. View the logs.


3 years ago

#12 @warrenreeves
3 years ago

I was able to get users with no role to show in the User list in this case by changing core file "wp-admin/includes/class-wp-users-list-table.php" line 360 from:

if ( is_multisite() && empty( $user_object->allcaps ) )

to:

if ( is_multisite() && empty( $user_object->cap_key ) )

#13 in reply to: ↑ 5 ; follow-up: @brocheafoin
2 years ago

Replying to flixos90:

I think there is a difference between a user not being active for a site at all vs. a user not having any capabilities for a site.

The most obvious use case for a user without any capabilities is a former author. You would want to leave them as author of their content but prevent them from doing anything. When you remove a user completely, you have to reassign their content to another user, which would not be appropriate.

In that case,

this user is in a broken state

would not be completely true.

Furthermore...

users without roles (on any sites) are a special case. In multisite, they have the "User Dashboard" as a fallback, and they are always visible via the "Network Dashboard" users.php page.

This is all true, but as long as users without a roles aren't displayed in the users table, there is no UI to actually _give_ them a role.

Additional consideration:

  • The documentation for WP_User->set_role() says that "You can set the role to an empty string and it will remove all of the roles from the user." which is exactly how we end up with users without roles.
  • is_user_member_of_blog() only verifies the "$prefix_$blogid_capabilities" meta's existence to determine membership. As far as it's concerned, users without a role are considered as members of the site. Logically, they should be visible on the site's users table.

TL;DR: I'm @flixos90. Let's make users without roles first-class citizens.

#14 in reply to: ↑ 13 @brocheafoin
2 years ago

Replying to brocheafoin:

The most obvious use case for a user without any capabilities is a former author. You would want to leave them as author of their content but prevent them from doing anything. When you remove a user completely, you have to reassign their content to another user, which would not be appropriate.

Yeah, I was a bit stupid there. You could just move them back to "Subscriber". I'm no longer sure there is an actual use case for users without roles. Sorry for the rambling.

This ticket was mentioned in Slack in #buddypress by jjj. View the logs.


2 years ago

#16 @johnbillion
2 years ago

  • Milestone changed from Future Release to 4.9
  • Owner set to johnbillion
  • Status changed from new to reviewing

This ticket was mentioned in Slack in #core-multisite by flixos90. View the logs.


2 years ago

@johnbillion
2 years ago

#18 @johnbillion
2 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed

#19 @johnbillion
2 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 41138:

Users: Ensure that users with no role on a site are taken into consideration when listing users on Multisite.

This ensures that users who are a member of a site but have no role are correctly listed on the Users screen and can be filtered from the 'None' role filter.

Props tobi823, flixos90, scottlee

Fixes #36196

Note: See TracTickets for help on using tickets.