[wp-trac] [WordPress Trac] #28493: Multi site: User can still log into network after being removed from a site
WordPress Trac
noreply at wordpress.org
Mon Jun 9 19:34:28 UTC 2014
#28493: Multi site: User can still log into network after being removed from a site
---------------------------------------+-----------------------------
Reporter: Jpyper | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 3.5.2
Severity: normal | Keywords:
Focuses: administration, multisite |
---------------------------------------+-----------------------------
Encountered on a 3.5.2 install, tested and confirmed still a problem in
3.9.1.
I count this a bug because once removed from all sites on a network, a
user should definitely not be able to log in again for any reason with the
same credentials.
The real issue here is deleting a user from an individual site does not
remove it from the network even when they are not registered to any other
sites.
I'm happy to make a patch for this but I'd like some input on the best way
to go about it.
Case:
-Multisite network
-Delete single user from single site, user is not registered on any other
site.
-User uses login info associated with deleted user and gains access but is
only allowed to view the dashboard and edit their profile info.
-User is not removed from wp_users and wp_usermeta still has rows using
this user ID.
Expected: If user is not registered on other blogs, they should be removed
completely from the network when removed from the single site they are
registered on.
My thought is to make an addition to remove_user_from_blog in wp-includes
/ms-functions.php (called by remove_user_from_blog in wp-
admin/includes/ms.php) where it does
{{{
$blogs = get_blogs_of_user($user_id);
if ( count($blogs) == 0 ) {
update_user_meta($user_id, 'primary_blog', '');
update_user_meta($user_id, 'source_domain', '');
}
}}}
Could do
{{{
$wpdb->delete( $wpdb->users, array( 'ID' => $user_id ) );
$wpdb->delete( $wpdb->usermeta, array( 'ID' => $user_id ) );
}}}
similar to wp_delete_user (wp-admin/includes/user.php)
It's worth noting that just above wpmu_delete_user is
{{{
// @todo Merge with wp_delete_user() ?
}}}
So maybe it's time for that, but I would like to at least get in having
the user removed from the network upon removal of the last blog they are
registered to.
If the best thing I could do right now for feedback purposes is submit a
patch with my idea of what would fix it, then I can just do that.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/28493>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list