Support » Networking WordPress » email address instead of username when adding existing user

  • This might be loosley related to this bug, but for some reason a site admin (but not a super admin) must use an email address to add an exsting network user instead of an email address or a username.

    Part of the code for this appears to be around line 45 of wp-admin/user-new.php:

    if ( is_super_admin() ) {
                            $user_details = get_user_by('login', $_REQUEST[ 'email' ]);

    and line 256:

    } else {
                    _e( 'Enter the email address or username of an existing user on this network to invite t
    hem to this site.  That person will be sent an email asking them to confirm the invite.' );
                    $label = __('E-mail or Username');

    Is there a security reason for this or is it simply a case of not having granular enough permission checks to allow this for site admins in multisite?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    It’s not a bug, it’s to allow you to add a user who exists OR someone who doesn’t. If you put in an email of someone that doesn’t exist they’ll be added.

    Thread Starter mrnipper

    (@mrnipper)

    That doesn’t make any sense. There are two fields normally, one for adding new users and one for existing users. When adding an existing user as a super admin, you have the option of using an email or a user name. When adding as a site admin, you only can use an email. We also have the option to add users disabled at the network level, so site admins don’t see the add new field at all anyway.

    And once the person has been added, the site admin is going to see their user name anyway, so it doesn’t seem like a potential security or information leak necessarily to let them add by user name just like a super admin can.

    I can take out the check for is_super_admin and the get_user_by would work just as well for a site admin as a super admin, no? The question is, does that present a security risk of some kind that I’m not seeing?

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    I don’t think so, but I also dont thing that other ticket is a bug 😉

    I’d have to play with the various cases before, though. I mean, I do think that since the ability of a smart hacker to screw with a multisite can hurt more people than a single site, it’s safer to restrict users and force the emails (site admins are adding users to sites, not the network, really).

    But adding a known user to your site…. I could argue the wisdom of that both ways. It’s not like I,the site admin, won’t get your email addss anyway. It’s something to scour trac for, see if it came up before.

    Thread Starter mrnipper

    (@mrnipper)

    I’m actually waiting on the other ticket to hit 3.4 (hopefully) because my site admins are annoyed with not being able to simply add users and skip the confirmation step entirely. In an academic setting, and using LDAP authentication, the confirmation is entirely unnecessary and only serves to confuse our users.

    This problem I mention is more of an annoyance for our site admins, because it’s always possible for a user to change their email address. But their LDAP based user name will never change in our system and it’s the one thing that can always be considered authoritative.

    I guess I can play around with the code and submit a patch. I looked around a bit in Trac for anything about this. Given the existence of the aforementioned request for enhancement, I felt like this should probably be handled the same way. Given sufficient privilege (and site admin I think would qualify), either an email address or a user name can be used to add an existing network user to your site.

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    Oh it won’t hit 3.4 at all. 3.4 is in beta already, it’s well past time for that. (I expect 3.4 to be released this weekend, or next).

    I don’t think a site-admin should be able to see all the network users at all. There are, certainly, use-cases where it’d be nice, but given the intention of WP Multisite to be multiple, separate, sites, I don’t think I’d want all of my site-admins to know that my grandmother also has an account on the same network 😉

    This is a case where a plugin is best.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘email address instead of username when adding existing user’ is closed to new replies.