Opened 7 years ago
Closed 6 years ago
#36196 closed defect (bug) (fixed)
Users without a role are not being displayed
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 4.9 | Priority: | normal |
Severity: | normal | Version: | 4.4 |
Component: | Users | Keywords: | has-patch has-unit-tests |
Focuses: | multisite | Cc: |
Description
Users without a role are not displayed on the site user page. (in my case http://localhost/wordpress1/wordpress/wp-admin/users.php). But the invisible user are still being counted (e.g. i should have '4 items' although no user is visible).
But on the network user page the users are visible. (in my case http://localhost/wordpress1/wordpress/wp-admin/network/users.php).
I can reproduce this bug with PHP code:
$wpUser = get_user_by('id', 35);
$wpUser->set_role('');
and with this SQL-Query:
DELETE FROM wordpress1
.wp_usermeta
WHERE user_id
='35' AND meta_key
='wp_capabilities';
My only workaround is to use a non existing role:
$wpUser = get_user_by('id', 35);
$wpUser->set_role('anonymous');
The strange thing is that this bug only exists on multi site installations. Normal single site installations work fine.
Attachments (7)
Change History (26)
#2
@
7 years ago
Thank you for your fast responde @johnbillion,
I have removed the roles of my user testuser31098 (ID 34) by accessing my site 'unterseite3' with the ID 4 and execute this PHP script.
add_action('wp_after_admin_bar_render', 'aaaaa');
function aaaaa() {
/* @var WP_User $wpUser */
$wpUser = get_user_by('id', 34);
if (get_current_blog_id() === 4) {
$wpUser->set_role('');
echo 'delete roles of user 34';
var_dump($wpUser);
}
}
The user is still invisible in the site 'unterseite3' and visible in the network user manager. But the user testuser31098 thinks that he belongs to 'unterseite3' although he has no role in 'unterseite3'.
#3
follow-up:
↓ 5
@
7 years ago
- Keywords needs-patch added; reporter-feedback removed
- Milestone changed from Awaiting Review to Future Release
- Version changed from 4.4.2 to 4.4
Thanks for the extra information, @tobi823. I can confirm that I've reproduced the issue.
I think that in this situation, the user's wp_x_capabilities
usermeta entry should be removed, so they're no longer a member of the site, but I'll need to look into it a bit more.
This ticket was mentioned in Slack in #core-multisite by jeremyfelt. View the logs.
7 years ago
#5
in reply to:
↑ 3
;
follow-up:
↓ 13
@
7 years ago
Replying to johnbillion:
I think that in this situation, the user's
wp_x_capabilities
usermeta entry should be removed, so they're no longer a member of the site, but I'll need to look into it a bit more.
I think there is a difference between a user not being active for a site at all vs. a user not having any capabilities for a site. The user tables support showing "None" if a user has no role which leads me to the conclusion that this is expected behavior. So I think the original cause of this ticket is still valid.
#6
@
7 years ago
- Keywords has-patch needs-unit-tests added; needs-patch removed
36196.diff is a fix to this problem by making wp_get_users_with_no_role()
(introduced in 34965) multisite-compatible and removing a conditional which would previously skip users with no role (I'm not sure why that was there at all).
This fixes the issue for both the "Users" table on a single site and the "Site Users" table in the network admin.
#7
@
7 years ago
36196.2.diff improves the previous patch by also fixing the table views. They now include "None" properly if available. This was fixed by making count_users()
multisite-compatible by adding an additional $site_id
parameter and removing a clause that would automatically set the count for users with no role to 0.
#9
@
7 years ago
This happens in single-site also.
- Log in as an admin
- Create a user
- Delete that user's role & caps usermeta entries via your favorite MySQL editing tool, or
delete_user_meta()
- Visit
wp-admin/users.php
- Now you have an invisible user
This has a few (mostly experiential) consequences:
- The new user is completely hidden, even from admins
- Admins are unaware that there is a rogue user in the database
- Admins cannot give this user a role using the UI
- That new user has no
read
cap, so they can login, but get redirected to awp_die()
page
That said, this user is in a broken state, and there are only so many ways that WordPress can (or should) compensate for malformed or missing data. What if a post object has no post_status
? How did that happen? What should happen now?
I do believe that when it comes to user accounts, users without roles (on any sites) are a special case. In multisite, they have the "User Dashboard" as a fallback, and they are always visible via the "Network Dashboard" users.php
page. I'd like to see parity in single-site.
- Turn
/wp-admin/user/
into a first-class citizen. Enable it for single-site, and redirect/wp-admin/profile.php
to it. - On single-site, provide an additional "status" for users without any role entries in
usermeta
. - On multi-site, provide an additional "status" for users with empty role entries in
usermeta
.
I'd also vote to remove the multisite
focus from this ticket. I think this is more of an improvement to how users and their roles are communicated through the UI, than it is specific to a multisite configuration.
#10
@
7 years ago
Hey hey, @flixos90, thanks for the patch. I've refreshed it for ya since it wasn't applying cleanly. I also ran the tests to ensure the changes passed.
I agree with most of the conversation that's happening here. Such as, should we remove the wp_X_capabilities
and wp_X_user_level
entires when a user is set to "no role" on a site (single or multi).
However, I think it'd delay resolving the issue here. That being when a site contains user(s) that are set to "no role" the user count vs. whats displayed, is misleading. ie. not showing.
If we apply this fix, not only do resolving the differences between the users count vs. what the user sees, we also enable an Administrator to restore an essentially orphaned user to a site. Something that is not currently possible.
This ticket was mentioned in Slack in #core-multisite by helen. View the logs.
6 years ago
#12
@
6 years ago
I was able to get users with no role to show in the User list in this case by changing core file "wp-admin/includes/class-wp-users-list-table.php" line 360 from:
if ( is_multisite() && empty( $user_object->allcaps ) )
to:
if ( is_multisite() && empty( $user_object->cap_key ) )
#13
in reply to:
↑ 5
;
follow-up:
↓ 14
@
6 years ago
Replying to flixos90:
I think there is a difference between a user not being active for a site at all vs. a user not having any capabilities for a site.
The most obvious use case for a user without any capabilities is a former author. You would want to leave them as author of their content but prevent them from doing anything. When you remove a user completely, you have to reassign their content to another user, which would not be appropriate.
In that case,
this user is in a broken state
would not be completely true.
Furthermore...
users without roles (on any sites) are a special case. In multisite, they have the "User Dashboard" as a fallback, and they are always visible via the "Network Dashboard" users.php page.
This is all true, but as long as users without a roles aren't displayed in the users table, there is no UI to actually _give_ them a role.
Additional consideration:
- The documentation for
WP_User->set_role()
says that "You can set the role to an empty string and it will remove all of the roles from the user." which is exactly how we end up with users without roles. is_user_member_of_blog()
only verifies the "$prefix_$blogid_capabilities" meta's existence to determine membership. As far as it's concerned, users without a role are considered as members of the site. Logically, they should be visible on the site's users table.
TL;DR: I'm @flixos90. Let's make users without roles first-class citizens.
#14
in reply to:
↑ 13
@
6 years ago
Replying to brocheafoin:
The most obvious use case for a user without any capabilities is a former author. You would want to leave them as author of their content but prevent them from doing anything. When you remove a user completely, you have to reassign their content to another user, which would not be appropriate.
Yeah, I was a bit stupid there. You could just move them back to "Subscriber". I'm no longer sure there is an actual use case for users without roles. Sorry for the rambling.
This ticket was mentioned in Slack in #buddypress by jjj. View the logs.
6 years ago
#16
@
6 years ago
- Milestone changed from Future Release to 4.9
- Owner set to johnbillion
- Status changed from new to reviewing
Hi @tobi823, thanks for the report.
This looks like expected behaviour. A user with no role on a site in multisite does not belong to that site, therefore their user account does not show up in the site admin. They still, as you've reported, show up in the network admin.
You can test this by logging in as the user in question and visiting the Dashboard -> My Sites screen in the admin area. The site in question won't be listed, because the user has no role on that site and therefore does not belong to that site.
Can you take a look and confirm if that's the case please?