Users without a role are not being displayed

[tobi823]

Users without a role are not displayed on the site user page. (in my case ​http://localhost/wordpress1/wordpress/wp-admin/users.php). But the invisible user are still being counted (e.g. i should have '4 items' although no user is visible).
But on the network user page the users are visible. (in my case ​http://localhost/wordpress1/wordpress/wp-admin/network/users.php).

I can reproduce this bug with PHP code:

$wpUser = get_user_by('id', 35);
$wpUser->set_role('');

and with this SQL-Query:
DELETE FROM wordpress1.wp_usermeta WHERE user_id='35' AND meta_key='wp_capabilities';

My only workaround is to use a non existing role:

$wpUser = get_user_by('id', 35);
$wpUser->set_role('anonymous');

The strange thing is that this bug only exists on multi site installations. Normal single site installations work fine.

[johnbillion]

Hi @tobi823, thanks for the report.

This looks like expected behaviour. A user with no role on a site in multisite does not belong to that site, therefore their user account does not show up in the site admin. They still, as you've reported, show up in the network admin.

You can test this by logging in as the user in question and visiting the Dashboard -> My Sites screen in the admin area. The site in question won't be listed, because the user has no role on that site and therefore does not belong to that site.

Can you take a look and confirm if that's the case please?

[tobi823]

Thank you for your fast responde @johnbillion,

I have removed the roles of my user testuser31098 (ID 34) by accessing my site 'unterseite3' with the ID 4 and execute this PHP script.

add_action('wp_after_admin_bar_render', 'aaaaa');
function aaaaa() {

        /* @var WP_User $wpUser */
        $wpUser = get_user_by('id', 34);
        if (get_current_blog_id() === 4) {
                $wpUser->set_role('');
                echo 'delete roles of user 34';
                var_dump($wpUser);
        }
}

The user is still invisible in the site 'unterseite3' and visible in the network user manager. But the user testuser31098 thinks that he belongs to 'unterseite3' although he has no role in 'unterseite3'.

[tobi823]

The user testuser31098 with no role in 'unterseite3'.

[tobi823]

The user 'testuser31098' is not visible in the site 'unterseite3'.

[johnbillion]

Thanks for the extra information, @tobi823. I can confirm that I've reproduced the issue.

I think that in this situation, the user's wp_x_capabilities usermeta entry should be removed, so they're no longer a member of the site, but I'll need to look into it a bit more.

[flixos90]

Replying to johnbillion:

I think that in this situation, the user's wp_x_capabilities usermeta entry should be removed, so they're no longer a member of the site, but I'll need to look into it a bit more.

I think there is a difference between a user not being active for a site at all vs. a user not having any capabilities for a site. The user tables support showing "None" if a user has no role which leads me to the conclusion that this is expected behavior. So I think the original cause of this ticket is still valid.

[flixos90]

show users with no role

[flixos90]

36196.diff​ is a fix to this problem by making wp_get_users_with_no_role() (introduced in 34965) multisite-compatible and removing a conditional which would previously skip users with no role (I'm not sure why that was there at all).

This fixes the issue for both the "Users" table on a single site and the "Site Users" table in the network admin.

[flixos90]

fix table views to include "None"

[flixos90]

36196.2.diff​ improves the previous patch by also fixing the table views. They now include "None" properly if available. This was fixed by making count_users() multisite-compatible by adding an additional $site_id parameter and removing a clause that would automatically set the count for users with no role to 0.

[jeremyfelt]

#37325 was marked as a duplicate.

[johnjamesjacoby]

This happens in single-site also.

• Log in as an admin
• Create a user
• Delete that user's role & caps usermeta entries via your favorite MySQL editing tool, or delete_user_meta()
• Visit wp-admin/users.php
• Now you have an invisible user

This has a few (mostly experiential) consequences:

• The new user is completely hidden, even from admins
• Admins are unaware that there is a rogue user in the database
• Admins cannot give this user a role using the UI
• That new user has no read cap, so they can login, but get redirected to a wp_die() page

---

That said, this user is in a broken state, and there are only so many ways that WordPress can (or should) compensate for malformed or missing data. What if a post object has no post_status? How did that happen? What should happen now?

I do believe that when it comes to user accounts, users without roles (on any sites) are a special case. In multisite, they have the "User Dashboard" as a fallback, and they are always visible via the "Network Dashboard" users.php page. I'd like to see parity in single-site.

• Turn /wp-admin/user/ into a first-class citizen. Enable it for single-site, and redirect /wp-admin/profile.php to it.
• On single-site, provide an additional "status" for users without any role entries in usermeta.
• On multi-site, provide an additional "status" for users with empty role entries in usermeta.

---

I'd also vote to remove the multisite focus from this ticket. I think this is more of an improvement to how users and their roles are communicated through the UI, than it is specific to a multisite configuration.

[scottlee]

Hey hey, @flixos90, thanks for the patch. I've refreshed it for ya since it wasn't applying cleanly. I also ran the tests to ensure the changes passed.

I agree with most of the conversation that's happening here. Such as, should we remove the wp_X_capabilities and wp_X_user_level entires when a user is set to "no role" on a site (single or multi).

However, I think it'd delay resolving the issue here. That being when a site contains user(s) that are set to "no role" the user count vs. whats displayed, is misleading. ie. not showing.

If we apply this fix, not only do resolving the differences between the users count vs. what the user sees, we also enable an Administrator to restore an essentially orphaned user to a site. Something that is not currently possible.

[scottlee]

Refreshed patch.

[warrenreeves]

I was able to get users with no role to show in the User list in this case by changing core file "wp-admin/includes/class-wp-users-list-table.php" line 360 from:

if ( is_multisite() && empty( $user_object->allcaps ) )

to:

if ( is_multisite() && empty( $user_object->cap_key ) )

[brocheafoin]

Replying to flixos90:

I think there is a difference between a user not being active for a site at all vs. a user not having any capabilities for a site.

The most obvious use case for a user without any capabilities is a former author. You would want to leave them as author of their content but prevent them from doing anything. When you remove a user completely, you have to reassign their content to another user, which would not be appropriate.

In that case,

this user is in a broken state

would not be completely true.

Furthermore...

users without roles (on any sites) are a special case. In multisite, they have the "User Dashboard" as a fallback, and they are always visible via the "Network Dashboard" users.php page.

This is all true, but as long as users without a roles aren't displayed in the users table, there is no UI to actually _give_ them a role.

Additional consideration:

• The documentation for WP_User->set_role() says that "You can set the role to an empty string and it will remove all of the roles from the user." which is exactly how we end up with users without roles.
• is_user_member_of_blog() only verifies the "$prefix_$blogid_capabilities" meta's existence to determine membership. As far as it's concerned, users without a role are considered as members of the site. Logically, they should be visible on the site's users table.

TL;DR: I'm @flixos90. Let's make users without roles first-class citizens.

[brocheafoin]

Replying to brocheafoin:

The most obvious use case for a user without any capabilities is a former author. You would want to leave them as author of their content but prevent them from doing anything. When you remove a user completely, you have to reassign their content to another user, which would not be appropriate.

Yeah, I was a bit stupid there. You could just move them back to "Subscriber". I'm no longer sure there is an actual use case for users without roles. Sorry for the rambling.

[johnbillion]

In 41138:

Users: Ensure that users with no role on a site are taken into consideration when listing users on Multisite.

This ensures that users who are a member of a site but have no role are correctly listed on the Users screen and can be filtered from the 'None' role filter.

Props tobi823, flixos90, scottlee

Fixes #36196