Opened 17 months ago
Last modified 13 days ago
#60029 new defect (bug)
Admin unable to create new Application Password for user with no role on main site (multisite)
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 6.9 | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Application Passwords | Keywords: | changes-requested |
| Focuses: | multisite | Cc: |
Description
I ran into this while trying to create an Application Password for a user from the network users admin screen (wp-admin/network/user-edit.php). It does work from any site's dashboard subsite/wp-admin/user-edit.php .
Steps to reproduce:
- I used a completely multisite WP 6.4.2 in subdirectory mode.
- Log in as an administrator.
- Create at least one additional site (I called it "subsite").
- Create a second user, and make them subscriber on "subsite".
- If present, remove the user from the main site.
- Go to the network "Users" screen, and edit the user.
- Try to add an Application Password.
I got an error saying Invalid user ID..
Change History (13)
#3
@
15 months ago
I'm starting to wonder whether it makes sense to create application passwords at the network level at all. In the context of a (sub)site, it's clear that you're allowing access to that site. In the network admin, users could expect they're granting access to all sites, which I don't think is something WP supports?
Perhaps the best option is to remove the UI when editing a user in the network area?
Edit: Just noticed that WP does in fact support granting access to all sites a user has a role on.
#4
@
8 weeks ago
- Focuses multisite added
- Keywords needs-patch added
Conversely, application passwords are stored in user meta and there is no concept of a per-site application password on a Multisite installation. They are all network-wide, just like the user's regular password.
A network admin should be able to create and revoke application passwords when editing a user from the network Users screen.
This ticket was mentioned in PR #8638 on WordPress/wordpress-develop by @sukhendu2002.
4 weeks ago
#5
- Keywords has-patch has-unit-tests added; needs-patch removed
Trac ticket:
#6
follow-up:
↓ 7
@
4 weeks ago
Steps to Fix:
Method . 1
step.1 Temporarily Assign a Role on the Main Site:
Go to Network Admin > Sites.
Select the main site.
Navigate to the Users tab.
Add the user to the main site (e.g., assign them the "Subscriber" role).
step.2 Generate the Application Password:
Go to Network Admin > Users.
Edit the user and generate an Application Password.
Copy the generated password.
Step.3 Remove the Role (Optional):
If the user does not need access to the main site, remove them from it after generating the password.
Method . 2 Alternative Solution via Code
If you want to avoid assigning roles manually, you can use a filter to allow users without a role to generate Application Passwords.
Add this to your mu-plugins or theme’s functions.php:
<?php add_filter( 'wp_is_application_passwords_available_for_user', function( $available, $user ) { return true; // Force enable application passwords for all users. }, 10, 2 );
#7
in reply to:
↑ 6
@
4 weeks ago
Thank you, @sonaliprajapati . The methods you describe seems to be more of a workaround, and not a permanent solution. I'd much prefer the application password UI to simply work for users with a role on any site in the network.
#8
@
4 weeks ago
This issue seems to boil down to this bit in wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php (line 722).
<?php if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && ! is_user_member_of_blog( $user->ID ) ) { return $error; }
If we could replace the call to is_user_member_of_blog with a function that checks for roles on any blog within the network, that would likely fix the issue. I don't think such a function currently exists?
Edit: 'get_blogs_of_user' could probably be used here? https://developer.wordpress.org/reference/functions/get_blogs_of_user/
Edit 2: This seems to work:
<?php if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && empty( get_blogs_of_user( $user->ID ) ) ) { return $error; }
However, it would probably make more sense to not show the application password UI at all if passwords can't be created.
#9
follow-up:
↓ 10
@
4 weeks ago
Please code add in function.php then it will works.
add_filter( 'wp_is_application_passwords_available_for_user', 'return_true' );
#10
in reply to:
↑ 9
@
4 weeks ago
Thank you. I realize this would fix the issue for me, but Trac is all about fixing issues for everyone. This issue is quite clearly caused by a bug in WP core, and the best solution would be to fix that bug.
(I actually have more complicated version of the code you posted in production right now, which takes user capabilities and other things into account to determine which users should be able to have application passwords.)
Replying to sonaliprajapati:
Please code add in function.php then it will works.
add_filter( 'wp_is_application_passwords_available_for_user', 'return_true' );
#12
follow-up:
↓ 13
@
13 days ago
- Keywords reporter-feedback added; needs-testing removed
Reproduction Report
Description
❌ This report can't validate that issue can be reproduced.
@roytanck please review the Demo video provided here to check if I'm doing something wrong.
Environment
- WordPress: 6.8-src
- PHP: 8.4.6
- Server: nginx/1.27.4
- Database: mysqli (Server: 8.4.4 / Client: mysqlnd 8.4.6)
- Browser: Chrome 135.0.0.0
- OS: Windows 10/11
- Theme: Twenty Twenty-Five 1.2
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Actual Results
- ❌ Error condition doesn't occur (reproduced in the video attached).
Additional Notes
@roytanck afaik, WP 6.4 is in end of cycle. I cannot even deploy it in my testing env easily.
You should consider upgrading to the latest version, 6.8.0 released yesterday because, regardless if we end finding a solution to this or not, you will not get a patch to your specific version, but it will be integrated into trunk to after be moved into future 6.9.0, if that's the case.
Supplemental Artifacts
Demo video: https://streamable.com/ezirsd
#13
in reply to:
↑ 12
@
13 days ago
Thank you for testing. Obviously I'm no longer using WP 6.4. This is an older ticket, and 6.4 was the current version when it was created.
The error occurs when a network admin attempts to create an application key from the network admin users screen (wp-admin/network/user-edit.php?user_id=[user_id]). It does indeed work if you instead go to the subsite, and edit the user from there.
If we decide that creating new application keys should only be possible in a context (site) where the user has a role, then we should probably hide the UI in the network admin. If not, we should make it possible to create new keys without this error happening.
#14
@
13 days ago
- Keywords changes-requested added; has-patch has-unit-tests reporter-feedback removed
Combined Bug Reproduction and Patch Test Report
Description
🟠 This report validates that patch works as expected with some caveats
Patch tested: https://github.com/WordPress/wordpress-develop/pull/8638.diff
Environment
- WordPress: 6.9-alpha-60093-src
- PHP: 8.4.6
- Server: nginx/1.27.4
- Database: mysqli (Server: 8.4.4 / Client: mysqlnd 8.4.6)
- Browser: Chrome 135.0.0.0
- OS: Windows 10/11
- Theme: Twenty Twenty-Five 1.2
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Bug Reproduction
- Enable Multisite
- As an WP Admin, create a New user in the Network level with Subscriber role
- From the Network-level, edit that Subscriber user
- Create a new application Password for such user
- 🐞 Error: Invalid user ID
Expected Result
- The application password is created sucessfully for such user
Actual Results
- 🟠 Issue resolved with patch, but some improvement required.
Additional Notes
In the PR, I have added two suggestions:
- Little mod to the patch just for readability purposes
- Improvements to the Unit Test proposed.
Previously: #53224