Make WordPress Core

Opened 5 months ago

Last modified 2 months ago

#60029 new defect (bug)

Admin unable to create new Application Password for user with no role on main site (multisite)

Reported by: roytanck's profile roytanck Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Application Passwords Keywords:
Focuses: Cc:


I ran into this while trying to create an Application Password for a user from the network users admin screen (wp-admin/network/user-edit.php). It does work from any site's dashboard subsite/wp-admin/user-edit.php .

Steps to reproduce:

  • I used a completely multisite WP 6.4.2 in subdirectory mode.
  • Log in as an administrator.
  • Create at least one additional site (I called it "subsite").
  • Create a second user, and make them subscriber on "subsite".
  • If present, remove the user from the main site.
  • Go to the network "Users" screen, and edit the user.
  • Try to add an Application Password.

I got an error saying Invalid user ID..

Change History (3)

#1 @johnbillion
5 months ago

Previously: #53224

#2 @afunujoko1980
2 months ago

It appears that there is an issue with creating an Application Password for a user with no role on the main site in a WordPress multisite environment. This issue occurs specifically when attempting to create the password from the network users admin screen (wp-admin/network/user-edit.php).

Here's a summary of the steps to reproduce the issue:

  1. Log in as an administrator.
  2. Create at least one additional site (referred to as "subsite").
  3. Create a second user and assign them the subscriber role on the "subsite".
  4. Optionally, remove the user from the main site.
  5. Go to the network "Users" screen and edit the user.
  6. Attempt to add an Application Password.

The result is an error message stating "Invalid user ID."

This issue could be related to how WordPress handles user roles and permissions in a multisite environment, particularly when trying to manage Application Passwords for users who do not have a role on the main site.

To address this issue, you may need to investigate the underlying code that handles Application Password creation and user permissions in multisite environments. It's possible that a modification or workaround may be needed to ensure that users without roles on the main site can still create Application Passwords.

Additionally, you could try creating the Application Password from the dashboard of a subsite (subsite/wp-admin/user-edit.php), as you mentioned that it works from there. This could serve as a temporary workaround until a more permanent solution is implemented.

#3 @roytanck
2 months ago

I'm starting to wonder whether it makes sense to create application passwords at the network level at all. In the context of a (sub)site, it's clear that you're allowing access to that site. In the network admin, users could expect they're granting access to all sites, which I don't think is something WP supports?

Perhaps the best option is to remove the UI when editing a user in the network area?

Edit: Just noticed that WP does in fact support granting access to all sites a user has a role on.

Last edited 2 months ago by roytanck (previous) (diff)
Note: See TracTickets for help on using tickets.