Admin unable to create new Application Password for user with no role on main site (multisite)

[roytanck]

I ran into this while trying to create an Application Password for a user from the network users admin screen (wp-admin/network/user-edit.php). It does work from any site's dashboard subsite/wp-admin/user-edit.php .

Steps to reproduce:

• I used a completely multisite WP 6.4.2 in subdirectory mode.
• Log in as an administrator.
• Create at least one additional site (I called it "subsite").
• Create a second user, and make them subscriber on "subsite".
• If present, remove the user from the main site.
• Go to the network "Users" screen, and edit the user.
• Try to add an Application Password.

I got an error saying Invalid user ID..

[johnbillion]

Previously: #53224

[roytanck]

I'm starting to wonder whether it makes sense to create application passwords at the network level at all. In the context of a (sub)site, it's clear that you're allowing access to that site. In the network admin, users could expect they're granting access to all sites, which I don't think is something WP supports?

Perhaps the best option is to remove the UI when editing a user in the network area?

Edit: Just noticed that WP does in fact support granting access to all sites a user has a role on.

[johnbillion]

Conversely, application passwords are stored in user meta and there is no concept of a per-site application password on a Multisite installation. They are all network-wide, just like the user's regular password.

A network admin should be able to create and revoke application passwords when editing a user from the network Users screen.

Trac ticket:

[sonaliprajapati]

Steps to Fix:
Method . 1
step.1 Temporarily Assign a Role on the Main Site:

Go to Network Admin > Sites.

Select the main site.

Navigate to the Users tab.

Add the user to the main site (e.g., assign them the "Subscriber" role).

step.2 Generate the Application Password:

Go to Network Admin > Users.

Edit the user and generate an Application Password.

Copy the generated password.

Step.3 Remove the Role (Optional):

If the user does not need access to the main site, remove them from it after generating the password.

Method . 2 Alternative Solution via Code

If you want to avoid assigning roles manually, you can use a filter to allow users without a role to generate Application Passwords.

Add this to your mu-plugins or theme’s functions.php:

<?php
add_filter( 'wp_is_application_passwords_available_for_user', function( $available, $user ) {
    return true; // Force enable application passwords for all users.
}, 10, 2 );

[roytanck]

Thank you, @sonaliprajapati . The methods you describe seems to be more of a workaround, and not a permanent solution. I'd much prefer the application password UI to simply work for users with a role on any site in the network.

[roytanck]

This issue seems to boil down to this bit in wp-includes/rest-api/endpoints/class-wp-rest-application-passwords-controller.php (line 722).

<?php
if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && ! is_user_member_of_blog( $user->ID ) ) {
        return $error;
}

If we could replace the call to is_user_member_of_blog with a function that checks for roles on any blog within the network, that would likely fix the issue. I don't think such a function currently exists?

Edit: 'get_blogs_of_user' could probably be used here? ​https://developer.wordpress.org/reference/functions/get_blogs_of_user/

Edit 2: This seems to work:

<?php
if ( is_multisite() && ! user_can( $user->ID, 'manage_sites' ) && empty( get_blogs_of_user( $user->ID ) ) ) {
        return $error;
}

However, it would probably make more sense to not show the application password UI at all if passwords can't be created.

[sonaliprajapati]

Please code add in function.php then it will works.

add_filter( 'wp_is_application_passwords_available_for_user', 'return_true' );

[roytanck]

Thank you. I realize this would fix the issue for me, but Trac is all about fixing issues for everyone. This issue is quite clearly caused by a bug in WP core, and the best solution would be to fix that bug.

(I actually have more complicated version of the code you posted in production right now, which takes user capabilities and other things into account to determine which users should be able to have application passwords.)

Replying to sonaliprajapati:

Please code add in function.php then it will works.

add_filter( 'wp_is_application_passwords_available_for_user', 'return_true' );

[SirLouen]

Reproduction Report

Description

❌ This report can't validate that issue can be reproduced.
@roytanck please review the Demo video provided here to check if I'm doing something wrong.

Environment

• WordPress: 6.8-src
• PHP: 8.4.6
• Server: nginx/1.27.4
• Database: mysqli (Server: 8.4.4 / Client: mysqlnd 8.4.6)
• Browser: Chrome 135.0.0.0
• OS: Windows 10/11
• Theme: Twenty Twenty-Five 1.2
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Actual Results

1. ❌ Error condition doesn't occur (reproduced in the video attached).

Additional Notes

@roytanck afaik, WP 6.4 is in end of cycle. I cannot even deploy it in my testing env easily.
You should consider upgrading to the latest version, 6.8.0 released yesterday because, regardless if we end finding a solution to this or not, you will not get a patch to your specific version, but it will be integrated into trunk to after be moved into future 6.9.0, if that's the case.

Supplemental Artifacts

Demo video: ​https://f003.backblazeb2.com/file/wordpress-videos/wp-videos/2025/05/60029.mp4

[roytanck]

Thank you for testing. Obviously I'm no longer using WP 6.4. This is an older ticket, and 6.4 was the current version when it was created.

The error occurs when a network admin attempts to create an application key from the network admin users screen (wp-admin/network/user-edit.php?user_id=[user_id]). It does indeed work if you instead go to the subsite, and edit the user from there.

If we decide that creating new application keys should only be possible in a context (site) where the user has a role, then we should probably hide the UI in the network admin. If not, we should make it possible to create new keys without this error happening.

[SirLouen]

Combined Bug Reproduction and Patch Test Report

Description

🟠 This report validates that patch works as expected with some caveats

Patch tested: ​https://github.com/WordPress/wordpress-develop/pull/8638.diff

Environment

• WordPress: 6.9-alpha-60093-src
• PHP: 8.4.6
• Server: nginx/1.27.4
• Database: mysqli (Server: 8.4.4 / Client: mysqlnd 8.4.6)
• Browser: Chrome 135.0.0.0
• OS: Windows 10/11
• Theme: Twenty Twenty-Five 1.2
• MU Plugins: None activated
• Plugins:
  • Test Reports 1.2.0

Bug Reproduction

1. Enable Multisite
2. As an WP Admin, create a New user in the Network level with Subscriber role
3. From the Network-level, edit that Subscriber user
4. Create a new application Password for such user
5. 🐞 Error: Invalid user ID

Expected Result

• The application password is created sucessfully for such user

Actual Results

1. 🟠 Issue resolved with patch, but some improvement required.

Additional Notes

​In the PR, I have added two suggestions:

1. Little mod to the patch just for readability purposes
2. Improvements to the Unit Test proposed.

[soyebsalar01]

Patch Tested:
​https://github.com/WordPress/wordpress-develop/pull/8638.diff

Summary:
This report confirms that the patch successfully resolves the issue described. However, a minor refinement or improvement may still be helpful for a more seamless experience.

Environment

WordPress Version: 6.9
PHP Version: 8.1
Must-Use Plugins: None

Test Reports :

Bug Reproduction Steps

Enable Multisite.
As a Network Admin, create a new user at the Network level and assign them the Subscriber role.
Edit this user from the Network Admin panel.
Attempt to create a new Application Password for the user.

Without Patch

Result:
Error message: Invalid user ID

Expected Behavior

Application password should be successfully created for the Subscriber user at the Network level.

Actual Result (With Patch Applied)

Status: Issue resolved — application password is now created as expected.

[SirLouen]

@sukhendu2002 here a patch for you to review.

[SirLouen]

@sukhendu2002 I've reviewed your last comment
We have only left to sort out the unit test you provided

[bina25]

Replying to roytanck:

I ran into this while trying to create an Application Password for a user from the network users admin screen (wp-admin/network/user-edit.php). It does work from any site's dashboard subsite/wp-admin/user-edit.php .

Steps to reproduce:

• I used a completely multisite WP 6.4.2 in subdirectory mode.
• Log in as an administrator.
• Create at least one additional site (I called it "subsite").
• Create a second user, and make them subscriber on "subsite".
• If present, remove the user from the main site.
• Go to the network "Users" screen, and edit the user.
• Try to add an Application Password.

I got an error saying Invalid user ID..

[johnbillion]

Replying to bina25:

Why did you close this ticket? It's a valid bug report that's scheduled to be fixed in WordPress 6.9.

[wildworks]

This ticket has been inactive for a while, and with RC1 approaching, I'll punt it to 7.0. However, the pull request seems to have already been reviewed, so if you're ready to commit, please go ahead.