Users can't access dashboard on the first login

[frixion9]

Hi,

thank you for your great plugin.

Can you help me resolve the following bug: The user has to log in twice to gain access to the WordPress dashboard. When we try to log in with the new user we can see that the roles are added correctly and the user logs in without any problems. However, when he is logged in, he is transferred to the public part of the site and if he wants to go to the dashboard is always redirected to the homepage. However, if he logs out, and logs in again, everything works as expected.

[heiglandreas]

Hm. That seems odd.

How do they try to get to the dashboard? What URLs are they trying to actually access? That sounds like some part of the URL is persisted after the login that then causes this redirect-loop to the homepage.

Can you create a a short video (please include the URL-bar of the browser) or provide me with the URLs that the user tries to access? That would be really helpful.

I doubt that it is related to the plugin but one never knows 😁

[frixion9]

Thank you for your fast reply. I have sent you two emails, one containing videos inside a zip file, and another one with links and screenshots.

We have tried to debug this problem, but we didn't have much success. Although we figured out that the bug is not deterministic and as you said, it may not have anything to do with the plugin, we haven't noticed this kind of behavior with an old version of the plugin and that is why I decided to contact you. We need to be able to have multiple roles per user and this is a great feature of the new version.

So, about the non-deterministic bug:

• sometimes the first login goes without a problem, a user is directed to the dashboard on the first login,
• most often we need to log in twice to be able to get to the dashboard
• sometimes, the user can't access the dashboard even if (s)he tries to log in multiple times and has the adequate roles that should be able to access the dashboard

We will try to check if there is some conflict with other plugins or something else we did, because as you said it maybe isn't related to the plugin, but it's a place to start our debugging process since this happens only to the users from our LDAP, WordPress users are behaving as expected 😄

[heiglandreas]

Ah... I think I know what happens. And that's totally related to the plugin and a recent update!

Dammit! You brought me a nice bugreport I fear 😁

Let me do a bit of guessing here:

• The WordPress role Administrator eUsluga has no access to the WordPress backend
• The WordPress role Administrator registracije institucija on the other hand has access to the WordPress backend
• The users that shall access the backend are member of the LDAP-Group INSTITUTION_REGISTRATION_ADMINSTRATOR.
• The users that have to log in twice for being able to access the backend are member of the LDAP-Groups ESERVICES_ADMINISTRATOR and INSTITUTION_REGISTRATION_ADMINSTRATOR

Under these ciercumstances I can indeed imagine that they need to log in twice to be able to access the backend.

And when a user is member of the LDAP-Groups EXHIBIT_EDITOR, ESERVICES_ADMINISTRATOR and INSTITUTION_REGISTRATION_ADMINSTRATOR they will most probably have to log in three times before they are able to access the backend...

Does that summarize what is happening?

[frixion9]

It seems like it 😅

Yes, that is exactly what is happening.

[heiglandreas]

Then the problem seems indeed to be based on an "issue" in the library. Sorry for the inconvenience.

The lib was built at a time where a user could only have one role in WordPress (long time ago) but never actually changed much around that.

Which is why we check for WordPress roles matching LDAP-groups the user is member of one after the other in the order in which they are displayed in the settings UI. The first find will win and be returned.

Which means we are gradually adding the roles based on the LDAP groups one per login 🙈

I'll need to figure out a way how to fix that. That'll take a day or two.

Thank you for your excellent report and help on triaging the issue.

[frixion9]

No problem, I am glad you managed to locate the problem, and thank you for explaining what is going on :)

I understand it makes sense to do it like that because how many roles will have opposing access to the dashboard 😅 if that wasn't the case, we would never notice this.

In case we also figure something out, I'll let you know. Thank you for the help 😃

[frixion9]

Hi, do you have any update on this?

[heiglandreas]

Not yet. It's on my todo list for the week though...

[heiglandreas]

I have sketched your requirements in a Gherkin file in https://github.com/heiglandreas/authLdap/pull/256/files#diff-fca8f591e0ecc80958adbce268332d994bcedb854044dd4ddb78112c4e8b16d5

Next up is getting the pipeline up and running and then to get the test green 😉

[heiglandreas]

Turns out: I already thought about this but forgot it 🙈

So it looks like the documentation needs an overhaul. Thanks for the reminder!

As this is a feature that - at least at the point of writing - wasn't possible to use in the default UI I decided to not have that exposed as yet another UI-switch but instead let people create a filter function to support that as it was a so rarely required switch.

So when you add the following code to your functions.php you will be able to assign all groups at once:

add_filter('authLdap_allow_multiple_roles', function(): bool {
    return true;
});

The tests are now actually taking that into account! I will update the docs as next step!