Role gets reset on subsequent logins

Can you check their entry in the Authorizer Approved User list? Their role should be listed there, and it should be in sync with whatever role you set if you edit the user via the WordPress UI (Edit User). If you’re changing the role elsewhere, it’s possible it doesn’t sync up.

Here’s what I am doing.

– User is created by CAS.
– Logout
– Change user’s Role on Authorizer > Access Lists from default (Subscriber) to Editor.
Confirm change on WP Users list
– Login

User’s role is converted to Subscriber. Even if default role for new users is set to something else, like Contributor, subsequent logins will always set that user’s role to Subscriber.

• This reply was modified 7 years, 7 months ago by mmcglynn.

Hi @mmcglynn,

To clarify, when you say the “User is created by CAS”, this means that they log in via CAS and (with Anyone Can Register set in the WordPress general settings), their account is automatically created?

Just narrowing down the settings now for internal testing. Thanks!

“Anyone can register” is unchecked. Should it be checked?

When I say “User is created by CAS”. I mean that the SAML response is captured by your plugin and the WP User is created.

This is continuing to happen. I will continue to test and provide what I can.

This is a showstopper bug for us.

I should note that I have not been yet been able to reproduce this for every account. There are some accounts for which this does not occur. I don;t know why that is, given that the accounts are all the same based on what I know.

Could this be a cookie, browser or other environmental issue? Suffice to say that since we use network accounts for CAS, there is no way for me to impersonate a problem user.

However, I do have a test account which exhibits this behavior.

• This reply was modified 7 years, 7 months ago by mmcglynn.
• This reply was modified 7 years, 7 months ago by mmcglynn.

I should also add that this is in testing and i am comfortable adding or changing the code at your guidance to help debug.

It is fine that “Anyone can register” is unchecked; I am working to make sure we are replicating the same setup on our local test environment to replicate the bug.

To check, are there a large number of concurrent logins or account generation occurring on your test instance? I realize it?s likely not the case, just trying to rule out one case we?ve been looking at.

I understand it being a showstopper–roles should not be changing! I?ll be testing throughout this morning HST and should hopefully have an update later today. Thank you for your continued input.

A few additional questions @mmcglynn:

Is the “New User Default Role” under Settings -> General the same as the “Default role for new users” under Authorizer -> External Service? Just want to make sure the two are not conflicting.

When a user logs in for the first time, are they already in the Authorizer Approved Users list, or are they placed in the Pending list and subsequently approved, moving them to the Approved Users list?

If the user is an Approved User in the Authorizer Access List, but does not yet have a created WordPress account (they have not logged into the site yet), is the desired role set via Authorizer before or after their first login and the WordPress account creation?

If the user is NOT in the Approved Users list, and ends up in the Pending list, do you set the role before Approving the user, or after? For example, when a new user shows up in the Pending list under Authorizer, you can set the role then approve the user. You can also approve the user, then change their role.

Finally, when the issue crops up with a user, does it persist it if you delete the user (either via Authorizer or via the WordPress User management) and have them log in again?

Thanks!

>>To check, are there a large number of concurrent logins or account generation occurring on your test instance?<<

No, this is about 20 users total in the WP install.

>>Thank you for your continued input.<<

Will do anything and I am able and that time allows.

One more thing: For one of the users that logs in and displays this issue, can you pull the role information from the wp_usermeta table, specifically the wp_capabilities meta_key, and post the literal contents the meta_value?

It should look something like:

a:1:{s:13:"administrator";b:1;}

Please let me know if you need assistance with this process.

“New User Default Role” under Settings -> General is the same as the “Default role for new users” under Authorizer -> External Service.

When a user logs in for the first time, they are in the Authorizer Approved Users list. I assume this is because “Only approved users (Approved external users and all WordPress users)” is not checked.

If the user is an Approved User in the Authorizer Access List, but does not yet have a created WordPress account (they have not logged into the site yet), is the desired role set via Authorizer before or after their first login and the WordPress account creation?

I’m not sure I understand. If I set External > Default role for new users to “Subscriber”, that is the role I expect and want. I see this as a nominal role. Everyone who can authenticate to the site via CAS needs a default and “Subscriber” is it.

Subsequently, for some users, we want to elevate permissions. This is why I then manually set the user’s role to “Editor”. The issue that we are trying to identify is why that role is reset when the user logs out and then in again, say on the next day.

If the user is NOT in the Approved Users list, and ends up in the Pending list, do you set the role before Approving the user, or after? For example, when a new user shows up in the Pending list under Authorizer, you can set the role then approve the user. You can also approve the user, then change their role.

As above, we don’t want to do any manual approval, but rather have a nominal role. This is why we aren’t using the Pending state, but would to resolve this issue.

We previously used LDAP authentication and in that case the user needed to be added manually so that the LDAP plugin could match on the user’s ID. We have to eliminate manual user provisioning.

Absoluetly, the issue persists when I delete the user. I have tested this thoroughly.

I hope I am being clear, but happy to clarify.

• This reply was modified 7 years, 7 months ago by mmcglynn. Reason: spelling!

a:1:{s:10:"subscriber";b:1;}

When I update the user’s role:

a:1:{s:6:"editor";b:1;}

When user logs in and then out:

a:1:{s:10:"subscriber";b:1;}

Tomorrow I will turn on debugging and send a log.

Could something odd be happening on user log out?

When a user logs in for the first time, they are in the Authorizer Approved Users list. I assume this is because “Only approved users (Approved external users and all WordPress users)” is not checked.

Thank you; this is an important setting to have checked! I?ll change our test environment to automatically approve authenticated users.

I’m not sure I understand. If I set External > Default role for new users to “Subscriber”, that is the role I expect and want. I see this as a nominal role. Everyone who can authenticate to the site via CAS needs a default and “Subscriber” is it.

Subsequently, for some users, we want to elevate permissions. This is why I then manually set the user’s role to “Editor”. The issue that we are trying to identify is why that role is reset when the user logs out and then in again, say on the next day.

Apologies, this is due to my presumption that you had “Only approved users” checked; you may disregard my statements from there.

We will change over our local test environment to auto-approval and continue working on the issue!

Tomorrow I will turn on debugging and send a log.

Thank you, please let me know if you would prefer to send it via email or a more secure channel.

Could something odd be happening on user log out?

Potentially; it would be good to see what the user?s role is directly after they log in, and then again after they log out.

Thank you again for your assistance in hunting down the bug!

Also (just so I don?t forget for later), can you please verify the version of WordPress and Authorizer you?re working with?