WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#39643 closed defect (bug) (fixed)

WP_User_Query does not allow search_fields to use display_name

Reported by: bcole808 Owned by: boonebgorges
Milestone: 4.9 Priority: normal
Severity: normal Version: 4.8
Component: Users Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

Expected Behavior:

The following query:

<?php
new WP_User_Query(array(
        'search' => '*Ben*',
        'search_columns' => 'display_name',
));

should search the users table and ONLY look at the column 'display_name'.

Observed problematic behavior:

During the prepare_query method, the search column parameter gets reset to the default value because of this line (around line 526) which appears to be filtering the allowed values for safety:

<?php
$search_columns = array_intersect( $qv['search_columns'], array( 'ID', 'user_login', 'user_email', 'user_url', 'user_nicename' ) );

You can see in the lines of code following this, by default it will include all fields (including display_name) like this:

<?php
$search_columns = array('user_login', 'user_url', 'user_email', 'user_nicename', 'display_name');

It looks like display_name is just missing from the whitelist of allowed custom query fields. I will attach a patch which should fix this problem.

Attachments (3)

39643.1.diff (731 bytes) - added by bcole808 3 years ago.
Include display_name as allowed search column
39643.unit-test.diff (1.5 KB) - added by pcarvalho 2 years ago.
Checks that it searches only in display_name and not in any other field
39643.2.diff (807 bytes) - added by bcole808 2 years ago.
Added curly brackets around 'if' block

Download all attachments as: .zip

Change History (13)

@bcole808
3 years ago

Include display_name as allowed search column

#1 @swissspidy
3 years ago

  • Keywords has-patch needs-unit-tests added

#2 @SergeyBiryukov
3 years ago

  • Component changed from Query to Users
  • Milestone changed from Awaiting Review to 4.8

Confirmed. display_name was added to the list of default columns to search in [32980], but was not included in the whitelist, so it's impossible to search only by display_name at the moment.

39643.1.diff looks good, let's also add a unit test if possible.

Note: The snippet from ticket description doesn't work as is and causes a PHP warning:

Warning: array_intersect(): Argument #1 is not an array in wp-includes/class-wp-user-query.php on line 526

search_columns should be an array, not a string:

new WP_User_Query( array(
	'search' => '*Ben*',
	'search_columns' => array( 'display_name' ),
) );

@pcarvalho
2 years ago

Checks that it searches only in display_name and not in any other field

#3 @pcarvalho
2 years ago

  • Keywords has-unit-tests added; needs-unit-tests removed

Hi everyone, I've added 2 unit tests:
1- return the user that has the string in display_name
2- don't return the user that has the string in other fields

@bcole808, may I ask you to update your patch to add curly brackets around that block?

or if you don't mind, I can do it.

This ticket was mentioned in Slack in #core by netweb. View the logs.


2 years ago

@bcole808
2 years ago

Added curly brackets around 'if' block

This ticket was mentioned in Slack in #core by obenland. View the logs.


2 years ago

#6 @obenland
2 years ago

  • Milestone changed from 4.8 to Future Release

#7 @engelen
2 years ago

Patch looks good to me as well. The unit tests are a bit limited, I would argue, in the sense that they only test for the display_name column (i.e., what went wrong in this case). However, the unit tests will still pass if, in a next release, the same problem occurs with user_email, for example.

@obenland Can this be moved to 4.9? Seems like a solid, simple patch for what is clearly a bug.

#8 @boonebgorges
2 years ago

  • Milestone changed from Future Release to 4.9

Thank you for the updated patch!

However, the unit tests will still pass if, in a next release, the same problem occurs with user_email, for example.

Full tests for all searchable fields would be great, but are not critical for this feature to land. Let's get them as part of a separate ticket.

#9 @boonebgorges
2 years ago

  • Owner set to boonebgorges
  • Resolution set to fixed
  • Status changed from new to closed

In 40982:

Allow user searches to match the display_name field.

Props bcole808, pcarvalho.
Fixes #39643.

#10 @rmccue
2 years ago

FYI, this is now indirectly tested thanks to r41011.

Note: See TracTickets for help on using tickets.