WordPress.org

Make WordPress Core

Opened 4 months ago

Last modified 3 months ago

#49399 new defect (bug)

wp_get_users_with_no_role() does not handle user roles which contain numbers

Reported by: chillbram Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.4
Component: Users Keywords: needs-patch needs-unit-tests
Focuses: Cc:

Description

The function wp_get_users_with_no_role() does not correctly ascertain which roles it needs to search for. Before it queries the database it changes the names for roles which contain numbers (and special characters for that matter). It uses the following regex to adapt the list of roles it gets from wp_roles()->get_names():

<?php
$regex = implode( '|', array_keys( $role_names ) );
$regex = preg_replace( '/[^a-zA-Z_\|-]/', '', $regex );

This results in roles with names like "Year1" and "Group1Admins" to be truncated to "Year" and "GroupAdmins" respectively before querying.

This could be easily solved by extending the regex pattern to also accept numbers:

<?php
$regex = preg_replace( '/[^0-9a-zA-Z_\|-]/', '', $regex );

Change History (3)

#1 @SergeyBiryukov
4 months ago

  • Component changed from General to Users
  • Keywords needs-patch needs-unit-tests added

This ticket was mentioned in Slack in #core by noisysocks. View the logs.


3 months ago

#3 @isabel_brison
3 months ago

  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 5.3.2 to 4.4

Best way forward here should be to change the regex to accept numbers provided they're not preceded by a colon, and to ensure that users are not allowed to add special characters in role names.

Note: See TracTickets for help on using tickets.