Make WordPress Core

Opened 5 years ago

Last modified 4 years ago

#49399 new defect (bug)

wp_get_users_with_no_role() does not handle user roles which contain numbers

Reported by: chillbram's profile chillbram Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 4.4
Component: Users Keywords: has-unit-tests has-patch
Focuses: Cc:

Description

The function wp_get_users_with_no_role() does not correctly ascertain which roles it needs to search for. Before it queries the database it changes the names for roles which contain numbers (and special characters for that matter). It uses the following regex to adapt the list of roles it gets from wp_roles()->get_names():

<?php
$regex = implode( '|', array_keys( $role_names ) );
$regex = preg_replace( '/[^a-zA-Z_\|-]/', '', $regex );

This results in roles with names like "Year1" and "Group1Admins" to be truncated to "Year" and "GroupAdmins" respectively before querying.

This could be easily solved by extending the regex pattern to also accept numbers:

<?php
$regex = preg_replace( '/[^0-9a-zA-Z_\|-]/', '', $regex );

Attachments (1)

49399.1.patch (1.8 KB) - added by Mista-Flo 4 years ago.

Download all attachments as: .zip

Change History (6)

#1 @SergeyBiryukov
5 years ago

  • Component changed from General to Users
  • Keywords needs-patch needs-unit-tests added

This ticket was mentioned in Slack in #core by noisysocks. View the logs.


5 years ago

#3 @isabel_brison
5 years ago

  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 5.3.2 to 4.4

Best way forward here should be to change the regex to accept numbers provided they're not preceded by a colon, and to ensure that users are not allowed to add special characters in role names.

@Mista-Flo
4 years ago

#4 @Mista-Flo
4 years ago

  • Keywords has-unit-tests has-patch added; needs-patch needs-unit-tests removed

Hello guys, I have uploaded a patch to fix the issue. It also contains a dedicated unit test. Thanks for your help @chillbram

#5 @chillbram
4 years ago

It seems like this ticket is complete and the patch from @Mista-Flo could be added to any minor release right?

Note: See TracTickets for help on using tickets.