[wp-trac] [WordPress Trac] #36961: wp_roles displays incorrect roles in multisite

WordPress Trac noreply at wordpress.org
Fri May 27 18:24:08 UTC 2016 

#36961: wp_roles displays incorrect roles in multisite
-----------------------------+-----------------------------
 Reporter:  ryanduff         |      Owner:
     Type:  defect (bug)     |     Status:  new
 Priority:  normal           |  Milestone:  Awaiting Review
Component:  Role/Capability  |    Version:  4.2
 Severity:  normal           |   Keywords:
  Focuses:  multisite        |
-----------------------------+-----------------------------
 The WP_User class accepts a 3rd parameter for a site ID, but this never
 translates over to roles.

 In class-wp-user.php WP_User->_init_caps() the correct capabilities are
 retrieved from the database, but when WP_User->get_role_caps() gets
 called, the first thing it does is fire wp_roles() in capabilities.php
 This will global $wp_roles or if not set, it will initialize a new
 WP_Roles class.

 Where this becomes a problem is if you're not on the site you're checking
 the roles on, wp_roles() returns the roles of the current site instead.
 Back in WP_User->get_role_caps(), the arrays get filtered and since
 there's a mismatch of roles defined on current site vs roles actually
 assigned to user, you will get an empty array as a result when looking at
 WP_User->roles

 To see this in action, I set up a test multisite install to confirm. I
 deleted all roles but admin on the main site, then created 2 new arbitrary
 roles. I then created a second site in the install, deleted all roles but
 admin, and created another arbitrary role. I added a new user to the
 install. If I go to network admin and attempt to assign the user to site
 2, the roles drop down displays the roles defined on site 1 rather than
 site 2. If I go to the dashboard of site 2 and go to add the user, I see
 the correct roles available.

 I'm not sure if this is intended behavior, though I can't imagine it is as
 it leads to a bug in network admin allowing a user to be set to a role
 that potentially doesn't even exist on the site you assign them to.

 I've tested this from WP 4.2-4.5 and get the same results in wp-admin

 Logging as roles/capabilities component, because even though it affects
 multisite, I think the core issue exists in roles and capabilities.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/36961>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list