Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating a user with an invalid role should show a warning #160

Closed
johnbillion opened this issue Mar 29, 2018 · 7 comments
Closed

Updating a user with an invalid role should show a warning #160

johnbillion opened this issue Mar 29, 2018 · 7 comments
Labels
command:user command:user-update good-first-issue
Milestone
2.5.1

Comments

@johnbillion
Copy link
Contributor

The following command always succeeds. Ideally it should fail when an invalid role name is passed.

wp user update <username> --role=bananas
@danielbachhuber
Copy link
Member

Thanks for the report, @johnbillion. Some follow-up questions (thinking aloud, not necessarily for you):

  1. Is there a valid use case for assigning an invalid role to a user?
  2. Would there be backwards compatibility concerns in changing the current behavior?
  3. Is there other prior art within WP-CLI where we've changed user input validation similarly?

@johnbillion
Copy link
Contributor Author

Idea that addresses 1 and 2: Trigger a warning instead of erroring.

@swissspidy
Copy link
Member

Does core error when updating a user with an invalid role?

@twocs
Copy link

twocs commented Jan 9, 2020
edited
Loading

This is an interesting but old thread, that addresses a question I had. And doesn't seem to be addressed elsewhere.

Although there are validation checks in core creating a new user, e.g. for the email address, there do not appear to be checks on role. It is entirely valid for users to have no role, but there does not seem to be any restriction about having a role that's not in the database. Removing a role from the database does not seem to remove it from the users, so conversely, one might create users with a certain role, then later create the role to grant capabilities.

Relevant code:

User
https://core.trac.wordpress.org/browser/tags/5.3/src/wp-includes/user.php

WP-User
https://core.trac.wordpress.org/browser/tags/5.3/src/wp-includes/class-wp-user.php

Roles
https://core.trac.wordpress.org/browser/tags/5.3/src/wp-includes/class-wp-roles.php

@danielbachhuber
Copy link
Member

@johnbillion Still think we should implement this? If so, I'm good with it.

@johnbillion
Copy link
Contributor Author

It is unusual (or not?) that WP core doesn't validate the role, but I think there's value in doing so in WP-CLI. +1 for accepting the role but triggering a warning, which means if you're creating a user interactively and you typo the role then at least you'll see a warning.

@danielbachhuber danielbachhuber changed the title Updating a user with an invalid role should fail Updating a user with an invalid role should show a warning Jan 11, 2023
@SH4LIN SH4LIN mentioned this issue May 26, 2023
Merged
@SH4LIN
Copy link
Contributor

SH4LIN commented May 26, 2023

Right now entering the invalid URL will give a warning than a success message and in the WordPress dashboard the role will be changed to none

@danielbachhuber danielbachhuber added this to the 2.5.1 milestone May 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
command:user command:user-update good-first-issue
Projects
None yet
Milestone
2.5.1
Development

No branches or pull requests
5 participants
@danielbachhuber @twocs @johnbillion @swissspidy @SH4LIN