Users on network sites not correctly provisioned after the first one

[dsXLII]

(The below is copy/pasted from my original post at https://wordpress.org/support/topic/issues-with-multisite-not-provisioning-users-on-all-network-sites/ .)

I’ve used the Shibboleth plugin successfully on hundreds of single WordPress installs, and first off, I’d like to thank everyone who works on it. Y’all are awesome.

We’re exploring implementing multisite, and have created a test network of three sites. The plugin is active at the network level, instead of at the site level (this prevents the owners of individual sites from inadvertently breaking the Shib settings, and should make it easier to add new sites to the network if we wish). I used more-or-less the same settings we use for all our single-site installs, with only a few changes (in particular, making the login URL relative instead of absolute). I’ve enabled the ‘Automatically create accounts’ setting, allowing automatic merging and disallowing manual merging. Our sites’ default role is ‘Subscriber’.

When a new user (one that doesn’t already have an account on the network) visits any site in the network, the account is provisioned as I would expect — the network-level account is created, and the account is granted Subscriber privileges on whatever specific site the user first hit. But when that user visits another site in the network, they are not automatically granted the default role for that site. I’m still trying to narrow down exactly what happens when, but either that user is redirected to /wp-admin/ for their “first” site (the one where their Subscriber account was first provisioned), or the user gets the WordPress screen saying that they don’t have any role on that site (listing the one site where they do have a role).

This feels like a bug. I'd expect a user, visiting other subsites in the network, to be treated like a "new" user for those sites, and to have their user account auto-provisoned for that site and granted the default role. Instead, the new-user code probably doesn't trigger (since strictly speaking the user already does exist), and the user does not get default access to the second/third/etc. subsites.

[jrchamp]

Instead, the new-user code probably doesn't trigger (since strictly speaking the user already does exist), and the user does not get default access to the second/third/etc. subsites.

I expect that you are correct and shibboleth_create_new_user() is doing both the Create user and Assign role actions which should probably be done separately for it to work correctly in multisite. Within shibboleth_authenticate_user(), after we know that the user exists, it should probably check is_user_member_of_blog() and if not then add_user_to_blog() with the default role coming from shibboleth_get_user_role(). This would remove or modify all of these lines from shibboleth_create_new_user(): https://github.com/michaelryanmcneill/shibboleth/blob/master/shibboleth.php#L636-L641

What are your thoughts on this?

[michaelryanmcneill]

I agree with this proposed course of action @jrchamp. Glad to accept a PR to resolve this bug.

[jakeparis]

Fwiw, the current behavior makes sense for our situation. Just to go over it (in case I'm misunderstanding the OP's description):

1. user logs into WPmu site for first time
2. user is provisioned an account on the main site as default role
3. user has no access to any other site unless it is specifically granted to them by that site's admin.

I think this is how it should be, and it prevents all the sub-sites' user roles from getting filled up with a bunch of "subscriber"s with no access, just because someone happened to visit the site while logged in. I would not like to see this behavior changed without at least a settings option to keep it the way it is now.